xmrig | dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8

General

Target

dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
Size

10.6MB
MD5

079d166295bafa2ab44902c8bf5ff2a5
SHA1

46e728a035c3fd9618f823a5d0b525a9aa22e1c1
SHA256

dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8
SHA512

949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b
SSDEEP

196608:rOcTCbnBZ+FV7CyJBPuYI8wha0mlCGMbM77RWWuhJzoSpc92tQRqIDfrDabGoDqs:rNTCbnYFXzPuH8kv477RWXJs59NqIPmp

Score

10^/10

xmrig evasion execution miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/3316-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-32-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-29-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-43-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3316-44-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
732	orpqcnvisucm.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4736	powercfg.exe
4112	powercfg.exe
2332	powercfg.exe
1536	powercfg.exe
780	powercfg.exe
4952	powercfg.exe
392	powercfg.exe
872	powercfg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 732 set thread context of 1808	732	orpqcnvisucm.exe	107
PID 732 set thread context of 3316	732	orpqcnvisucm.exe	108

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
376	sc.exe
5100	sc.exe
2828	sc.exe
5016	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
4928	dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
732	orpqcnvisucm.exe
732	orpqcnvisucm.exe
732	orpqcnvisucm.exe
732	orpqcnvisucm.exe
732	orpqcnvisucm.exe
732	orpqcnvisucm.exe
732	orpqcnvisucm.exe
732	orpqcnvisucm.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeShutdownPrivilege	392	powercfg.exe
Token: SeCreatePagefilePrivilege	392	powercfg.exe
Token: SeShutdownPrivilege	780	powercfg.exe
Token: SeCreatePagefilePrivilege	780	powercfg.exe
Token: SeShutdownPrivilege	872	powercfg.exe
Token: SeCreatePagefilePrivilege	872	powercfg.exe
Token: SeShutdownPrivilege	4952	powercfg.exe
Token: SeCreatePagefilePrivilege	4952	powercfg.exe
Token: SeShutdownPrivilege	2332	powercfg.exe
Token: SeCreatePagefilePrivilege	2332	powercfg.exe
Token: SeShutdownPrivilege	4112	powercfg.exe
Token: SeCreatePagefilePrivilege	4112	powercfg.exe
Token: SeLockMemoryPrivilege	3316	svchost.exe
Token: SeShutdownPrivilege	4736	powercfg.exe
Token: SeCreatePagefilePrivilege	4736	powercfg.exe
Token: SeShutdownPrivilege	1536	powercfg.exe
Token: SeCreatePagefilePrivilege	1536	powercfg.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 1808	732	orpqcnvisucm.exe	107
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108
PID 732 wrote to memory of 3316	732	orpqcnvisucm.exe	108

C:\Users\Admin\AppData\Local\Temp\dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe
"C:\Users\Admin\AppData\Local\Temp\dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "RRTELIGS"
  2⤵
  - Launches sc.exe
  PID:376
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:5100
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "RRTELIGS"
  2⤵
  - Launches sc.exe
  PID:5016

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1808
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

Power Settings

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

Filesize
10.6MB

MD5
079d166295bafa2ab44902c8bf5ff2a5

SHA1
46e728a035c3fd9618f823a5d0b525a9aa22e1c1

SHA256
dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8

SHA512
949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b

Download Submit
memory/732-37-0x0000000140000000-0x00000001419FB000-memory.dmp

Filesize
26.0MB

Download
memory/732-34-0x0000000140000000-0x00000001419FB000-memory.dmp

Filesize
26.0MB

Download
memory/732-13-0x0000000140000000-0x00000001419FB000-memory.dmp

Filesize
26.0MB

Download
memory/1808-20-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1808-18-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1808-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1808-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1808-17-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1808-23-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3316-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-44-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-36-0x000001C687D60000-0x000001C687D80000-memory.dmp

Filesize
128KB

Download
memory/3316-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-32-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-43-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3316-29-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4928-6-0x0000000140000000-0x00000001419FB000-memory.dmp

Filesize
26.0MB

Download
memory/4928-9-0x0000000140CAE000-0x0000000140F55000-memory.dmp

Filesize
2.7MB

Download
memory/4928-5-0x0000000140CAE000-0x0000000140F55000-memory.dmp

Filesize
2.7MB

Download
memory/4928-3-0x0000000140000000-0x00000001419FB000-memory.dmp

Filesize
26.0MB

Download
memory/4928-2-0x0000000140000000-0x00000001419FB000-memory.dmp

Filesize
26.0MB

Download
memory/4928-1-0x00007FF9C1CB0000-0x00007FF9C1CB2000-memory.dmp

Filesize
8KB

Download
memory/4928-0-0x0000000140CAE000-0x0000000140F55000-memory.dmp

Filesize
2.7MB

Download
memory/4928-8-0x0000000140000000-0x00000001419FB000-memory.dmp

Filesize
26.0MB

Download

Analysis

Sharing