xmrig | 38e4ff6cd8509ed0b208a435067e5d4130e1febe786086769d46818ac8ab2657

General

Target

miner-100%.exe
Size

2.5MB
MD5

0f03098ba3c106a018592bf8b4142cdc
SHA1

1e5ea6614b07148173da9efaa4bfe87f978c6874
SHA256

38e4ff6cd8509ed0b208a435067e5d4130e1febe786086769d46818ac8ab2657
SHA512

cb5d2ce1fe41bd5f2994b15de2bdec3a48b0c98647794a84853ee2a95e8466bb8db2b1da22ed3dd51c0e77de818e206947fb069917480d562d0d293d9a8cd1ae
SSDEEP

49152:Z07rDD13GoljEHtRoY+2HSeN4DMcV0jOG0YRyvVB:ZoDD12oaC2HSE4oC0jODYRyv

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1808-19-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1808-18-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1808-24-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1808-25-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1808-23-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1808-22-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1808-21-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1808-26-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 2 IoCs

Processes:

qmigminowdmj.exe

pid process

472
2928 qmigminowdmj.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

472

pid	process
472
2928	qmigminowdmj.exe

pid	process
472

Suspicious use of SetThreadContext 2 IoCs

Processes:

qmigminowdmj.exe

description	pid	process	target process
PID 2928 set thread context of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 set thread context of 1808	2928	qmigminowdmj.exe	explorer.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1808-13-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-16-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-19-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-17-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-15-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-18-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-14-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-24-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-25-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-23-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-22-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-21-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1808-26-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2252	sc.exe
2936	sc.exe
2752	sc.exe
2744	sc.exe
2828	sc.exe
2624	sc.exe
2400	sc.exe
2900	sc.exe
2684	sc.exe
2344	sc.exe
2932	sc.exe
2656	sc.exe
2764	sc.exe
1956	sc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

miner-100%.exeqmigminowdmj.exe

pid	process
1724	miner-100%.exe
1724	miner-100%.exe
1724	miner-100%.exe
1724	miner-100%.exe
1724	miner-100%.exe
1724	miner-100%.exe
1724	miner-100%.exe
1724	miner-100%.exe
1724	miner-100%.exe
2928	qmigminowdmj.exe
2928	qmigminowdmj.exe
2928	qmigminowdmj.exe
2928	qmigminowdmj.exe
2928	qmigminowdmj.exe
2928	qmigminowdmj.exe
2928	qmigminowdmj.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

miner-100%.exeqmigminowdmj.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1724	miner-100%.exe
Token: SeDebugPrivilege	2928	qmigminowdmj.exe
Token: SeLockMemoryPrivilege	1808	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

qmigminowdmj.exe

description	pid	process	target process
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 2244	2928	qmigminowdmj.exe	conhost.exe
PID 2928 wrote to memory of 1808	2928	qmigminowdmj.exe	explorer.exe
PID 2928 wrote to memory of 1808	2928	qmigminowdmj.exe	explorer.exe
PID 2928 wrote to memory of 1808	2928	qmigminowdmj.exe	explorer.exe
PID 2928 wrote to memory of 1808	2928	qmigminowdmj.exe	explorer.exe
PID 2928 wrote to memory of 1808	2928	qmigminowdmj.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\miner-100%.exe
"C:\Users\Admin\AppData\Local\Temp\miner-100%.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2252

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:2936

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2344

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2752

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UOLNUFYN"
2⤵
- Launches sc.exe
PID:2900

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UOLNUFYN" binpath= "C:\ProgramData\yprnrjbhkkgo\qmigminowdmj.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2764

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2932

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UOLNUFYN"
2⤵
- Launches sc.exe
PID:2744

C:\ProgramData\yprnrjbhkkgo\qmigminowdmj.exe
C:\ProgramData\yprnrjbhkkgo\qmigminowdmj.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2828

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:1956

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:2656

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2624

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2684

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2244

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\yprnrjbhkkgo\qmigminowdmj.exe

Filesize
2.5MB

MD5
0f03098ba3c106a018592bf8b4142cdc

SHA1
1e5ea6614b07148173da9efaa4bfe87f978c6874

SHA256
38e4ff6cd8509ed0b208a435067e5d4130e1febe786086769d46818ac8ab2657

SHA512
cb5d2ce1fe41bd5f2994b15de2bdec3a48b0c98647794a84853ee2a95e8466bb8db2b1da22ed3dd51c0e77de818e206947fb069917480d562d0d293d9a8cd1ae

Download Submit
memory/1808-22-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-29-0x0000000001010000-0x0000000001030000-memory.dmp

Filesize
128KB

Download
memory/1808-17-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-30-0x00000000008C0000-0x00000000008E0000-memory.dmp

Filesize
128KB

Download
memory/1808-15-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-28-0x00000000008C0000-0x00000000008E0000-memory.dmp

Filesize
128KB

Download
memory/1808-13-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-16-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-20-0x0000000000730000-0x0000000000750000-memory.dmp

Filesize
128KB

Download
memory/1808-19-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-31-0x0000000001010000-0x0000000001030000-memory.dmp

Filesize
128KB

Download
memory/1808-26-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-24-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-14-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-18-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-25-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-23-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1808-21-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2244-11-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2244-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2244-5-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2244-4-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2244-6-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2244-7-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads