xmrig | 3fafa712da0030c0204816cd40caf03be58662a6abf8f4b0d26e985b5fe1c1a2

General

Target

667553978ae2e362b6ca37db89d5aeb0N.exe
Size

1.9MB
MD5

667553978ae2e362b6ca37db89d5aeb0
SHA1

ad6d18b361251d816026b005c98a2b1bfac58c01
SHA256

3fafa712da0030c0204816cd40caf03be58662a6abf8f4b0d26e985b5fe1c1a2
SHA512

f16a8b3996d9ed0b372030b664d98e1cdf452e60de1714abc35b98cbbf5bcb7266ded918c5d5f4c1b4a4e74a2506c05a742df19c8dbb5149b39a7e769b49e568
SSDEEP

24576:275G5OqsLi3vF7tqtBR0D7BNTcOmooqmsP+J9s373m2N7BZgQwqGLTER0DGb889C:291qGUvF7tq5G1Tx373mG7TGEyj78h4

Score

10^/10

xmrig discovery miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/776-43-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral1/memory/776-41-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral1/memory/776-46-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyUtyDAEqS.url	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WpcMon.url	667553978ae2e362b6ca37db89d5aeb0N.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/776-34-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/776-37-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/776-43-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/776-41-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/776-40-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/776-36-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/776-39-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/776-46-0x0000000000400000-0x0000000000626000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2844-20-0x0000000000400000-0x000000000081C000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 2728	2844	667553978ae2e362b6ca37db89d5aeb0N.exe	30
PID 2728 set thread context of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	667553978ae2e362b6ca37db89d5aeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	667553978ae2e362b6ca37db89d5aeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe
2728	667553978ae2e362b6ca37db89d5aeb0N.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	667553978ae2e362b6ca37db89d5aeb0N.exe
Token: SeLockMemoryPrivilege	776	notepad.exe
Token: SeLockMemoryPrivilege	776	notepad.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2844	667553978ae2e362b6ca37db89d5aeb0N.exe
2844	667553978ae2e362b6ca37db89d5aeb0N.exe
2844	667553978ae2e362b6ca37db89d5aeb0N.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2844	667553978ae2e362b6ca37db89d5aeb0N.exe
2844	667553978ae2e362b6ca37db89d5aeb0N.exe
2844	667553978ae2e362b6ca37db89d5aeb0N.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2728	2844	667553978ae2e362b6ca37db89d5aeb0N.exe	30
PID 2844 wrote to memory of 2728	2844	667553978ae2e362b6ca37db89d5aeb0N.exe	30
PID 2844 wrote to memory of 2728	2844	667553978ae2e362b6ca37db89d5aeb0N.exe	30
PID 2844 wrote to memory of 2728	2844	667553978ae2e362b6ca37db89d5aeb0N.exe	30
PID 2844 wrote to memory of 2728	2844	667553978ae2e362b6ca37db89d5aeb0N.exe	30
PID 2844 wrote to memory of 2728	2844	667553978ae2e362b6ca37db89d5aeb0N.exe	30
PID 2728 wrote to memory of 2400	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	33
PID 2728 wrote to memory of 2400	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	33
PID 2728 wrote to memory of 2400	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	33
PID 2728 wrote to memory of 2400	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	33
PID 2400 wrote to memory of 2136	2400	cmd.exe	35
PID 2400 wrote to memory of 2136	2400	cmd.exe	35
PID 2400 wrote to memory of 2136	2400	cmd.exe	35
PID 2400 wrote to memory of 2136	2400	cmd.exe	35
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36
PID 2728 wrote to memory of 776	2728	667553978ae2e362b6ca37db89d5aeb0N.exe	36

C:\Users\Admin\AppData\Local\Temp\667553978ae2e362b6ca37db89d5aeb0N.exe
"C:\Users\Admin\AppData\Local\Temp\667553978ae2e362b6ca37db89d5aeb0N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\667553978ae2e362b6ca37db89d5aeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\667553978ae2e362b6ca37db89d5aeb0N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C WScript "C:\ProgramData\EiNJhfkBGQ\r.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\wscript.exe
      WScript "C:\ProgramData\EiNJhfkBGQ\r.vbs"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:2136
- - C:\Windows\notepad.exe
    "C:\Windows\notepad.exe" -c "C:\ProgramData\EiNJhfkBGQ\cfgi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EiNJhfkBGQ\cfgi

Filesize
916B

MD5
e09e48514b09cb30e319a24f0b7ad2ad

SHA1
922dd0d3c2c822b59a83d052e0766753215413b3

SHA256
7d5a4c9049e4b5bfbc510872e079dde0c8ccbd2bbfaff85c2ec5623cacda1d86

SHA512
38696fe6b64e65395f4e6da31bd0e344722469902e94cb8a6ab10deddb048182f2f9490a10173596f2261addff1e9f35f0e809a55f63aba6f4db800b188f7634

Download Submit
C:\ProgramData\EiNJhfkBGQ\r.vbs

Filesize
660B

MD5
8a2c9828d9798fe9b3e4ba311b185c8d

SHA1
8d9c0d1053e9f5368b793c6afd3f2cf5dd51d05b

SHA256
682431149918ecaa1d546dd1fbb66e0110b715448106c11a930627a26e311c47

SHA512
c4827f0224449b2462ec811583f5689d0be3b5c7bb9078665c8ea8641c9878da164cbe2f8f10c1bac0200300037bf88d9def0770aadbec56104b92382f6145da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyUtyDAEqS.url

Filesize
73B

MD5
18ce536d947459cf389b8ec26826ad28

SHA1
60e49575cce266679a3a80f1df3a05d319384445

SHA256
ea125aea8b043b8811fe66b129b5e6afb5bc272cb121cbc2ef7c440bc78430c9

SHA512
3cfa58f79fd372d1e1af69cfaa74f4998c52911b484bab7550f387cc181019b57b756a6d2ca143df7fb88fa1d6560b6e547e381dc0834e35529a20c1020bb95a

Download Submit
memory/776-41-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/776-40-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/776-46-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/776-44-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/776-39-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/776-36-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/776-43-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/776-37-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/776-34-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/2728-17-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2728-21-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2728-7-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2728-9-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2728-45-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2728-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2844-19-0x0000000003AC0000-0x0000000003EDC000-memory.dmp

Filesize
4.1MB

Download
memory/2844-0-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2844-20-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing