xmrig | b0240da451e1f77551f02fd2486992edc1e07c4c87f23a3fd4292a2ab5fab11a

General

Target

63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
Size

2.5MB
MD5

4691a9fe21f8589b793ea16f0d1749f1
SHA1

5c297f97142b7dad1c2d0c6223346bf7bcf2ea82
SHA256

63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904
SHA512

ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386
SSDEEP

49152:F9/HgTHqHoKCMrALmVS0VcfxXke6QHwpIdRgxh4+nAfHI:F9/HgTHyRrALmyfxXk5pIdRgxhTnu

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2624-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
476	Process not Found
2708	wfbrmcwrltkl.exe

Loads dropped DLL 1 IoCs

pid	Process
476	Process not Found

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2568	powercfg.exe
3048	powercfg.exe
2460	powercfg.exe
2720	powercfg.exe
2192	powercfg.exe
2000	powercfg.exe
3004	powercfg.exe
2240	powercfg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2624	2708	wfbrmcwrltkl.exe	53

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2388	sc.exe
2556	sc.exe
2672	sc.exe
2684	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2232	63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
2232	63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
2232	63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
2232	63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
2232	63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
2232	63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
2232	63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
2232	63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
2708	wfbrmcwrltkl.exe
2708	wfbrmcwrltkl.exe
2708	wfbrmcwrltkl.exe
2708	wfbrmcwrltkl.exe
2708	wfbrmcwrltkl.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2192	powercfg.exe
Token: SeShutdownPrivilege	2240	powercfg.exe
Token: SeShutdownPrivilege	3004	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeShutdownPrivilege	2460	powercfg.exe
Token: SeShutdownPrivilege	2720	powercfg.exe
Token: SeShutdownPrivilege	3048	powercfg.exe
Token: SeShutdownPrivilege	2568	powercfg.exe
Token: SeLockMemoryPrivilege	2624	explorer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2624	2708	wfbrmcwrltkl.exe	53
PID 2708 wrote to memory of 2624	2708	wfbrmcwrltkl.exe	53
PID 2708 wrote to memory of 2624	2708	wfbrmcwrltkl.exe	53
PID 2708 wrote to memory of 2624	2708	wfbrmcwrltkl.exe	53
PID 2708 wrote to memory of 2624	2708	wfbrmcwrltkl.exe	53

C:\Users\Admin\AppData\Local\Temp\63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe
"C:\Users\Admin\AppData\Local\Temp\63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "xjuumoinznsp"
  2⤵
  - Launches sc.exe
  PID:2388
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2556
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2672
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "xjuumoinznsp"
  2⤵
  - Launches sc.exe
  PID:2684

C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

Power Settings

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe

Filesize
2.5MB

MD5
4691a9fe21f8589b793ea16f0d1749f1

SHA1
5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

SHA256
63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

SHA512
ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

Download Submit
memory/2624-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-12-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2624-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing