xmrig | d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201

General

Target

943590af47af06d1bca1570bc116b25d.exe
Size

5.0MB
MD5

943590af47af06d1bca1570bc116b25d
SHA1

53eeb46310d02859984c6fa0787c5e6e3a274198
SHA256

d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201
SHA512

c3604262bcddc1bd092e29c17527d14f445ece56845b7a1596c735140a5590f947bc5796492f74fa1c673d3deeb69066de25a8ecd5f879ef6e15c44f0cf1f773
SSDEEP

98304:onw0oQREXMrEuBiq3gDkbAFcRWhgJsJpZqegs7eCCV2M8mrSrkFcQ7t0ZgpPpY:onw0BREX3kookFrKuAA7mV2M8CUKcW0F

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2960-22-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2960-25-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2960-24-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2960-19-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2960-23-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2960-18-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2960-21-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2960-26-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 2 IoCs

Processes:

qsjxfirefkza.exe

pid process

476
2816 qsjxfirefkza.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

476
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2072 powercfg.exe
2768 powercfg.exe
2812 powercfg.exe
2860 powercfg.exe
2836 powercfg.exe
2532 powercfg.exe
2576 powercfg.exe
2108 powercfg.exe

pid	process
476
2816	qsjxfirefkza.exe

pid	process
476

pid	process
2072	powercfg.exe
2768	powercfg.exe
2812	powercfg.exe
2860	powercfg.exe
2836	powercfg.exe
2532	powercfg.exe
2576	powercfg.exe
2108	powercfg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

qsjxfirefkza.exe

description	pid	process	target process
PID 2816 set thread context of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 set thread context of 2960	2816	qsjxfirefkza.exe	explorer.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2960-15-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-17-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-22-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-25-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-24-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-19-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-23-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-18-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-16-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-21-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-14-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-13-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2960-26-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2564 sc.exe
2388 sc.exe
2500 sc.exe
264 sc.exe

pid	process
2564	sc.exe
2388	sc.exe
2500	sc.exe
264	sc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

943590af47af06d1bca1570bc116b25d.exeqsjxfirefkza.exe

pid	process
2012	943590af47af06d1bca1570bc116b25d.exe
2012	943590af47af06d1bca1570bc116b25d.exe
2012	943590af47af06d1bca1570bc116b25d.exe
2012	943590af47af06d1bca1570bc116b25d.exe
2012	943590af47af06d1bca1570bc116b25d.exe
2012	943590af47af06d1bca1570bc116b25d.exe
2012	943590af47af06d1bca1570bc116b25d.exe
2012	943590af47af06d1bca1570bc116b25d.exe
2816	qsjxfirefkza.exe
2816	qsjxfirefkza.exe
2816	qsjxfirefkza.exe
2816	qsjxfirefkza.exe
2816	qsjxfirefkza.exe
2816	qsjxfirefkza.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	2532	powercfg.exe
Token: SeShutdownPrivilege	2072	powercfg.exe
Token: SeShutdownPrivilege	2108	powercfg.exe
Token: SeShutdownPrivilege	2576	powercfg.exe
Token: SeShutdownPrivilege	2836	powercfg.exe
Token: SeShutdownPrivilege	2860	powercfg.exe
Token: SeShutdownPrivilege	2768	powercfg.exe
Token: SeShutdownPrivilege	2812	powercfg.exe
Token: SeLockMemoryPrivilege	2960	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

qsjxfirefkza.exe

description	pid	process	target process
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2744	2816	qsjxfirefkza.exe	conhost.exe
PID 2816 wrote to memory of 2960	2816	qsjxfirefkza.exe	explorer.exe
PID 2816 wrote to memory of 2960	2816	qsjxfirefkza.exe	explorer.exe
PID 2816 wrote to memory of 2960	2816	qsjxfirefkza.exe	explorer.exe
PID 2816 wrote to memory of 2960	2816	qsjxfirefkza.exe	explorer.exe
PID 2816 wrote to memory of 2960	2816	qsjxfirefkza.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\943590af47af06d1bca1570bc116b25d.exe
"C:\Users\Admin\AppData\Local\Temp\943590af47af06d1bca1570bc116b25d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VJAODQWN"
2⤵
- Launches sc.exe
PID:2388

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VJAODQWN" binpath= "C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2564

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:264

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VJAODQWN"
2⤵
- Launches sc.exe
PID:2500

C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe
C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2744

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

Power Settings

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\ztngybkovyeb\qsjxfirefkza.exe

Filesize
5.0MB

MD5
943590af47af06d1bca1570bc116b25d

SHA1
53eeb46310d02859984c6fa0787c5e6e3a274198

SHA256
d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201

SHA512
c3604262bcddc1bd092e29c17527d14f445ece56845b7a1596c735140a5590f947bc5796492f74fa1c673d3deeb69066de25a8ecd5f879ef6e15c44f0cf1f773

Download Submit
memory/2744-11-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-4-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-5-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-6-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-7-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-8-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2960-25-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-19-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-18-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-16-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-21-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-14-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-13-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-23-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-24-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-22-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-17-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-20-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2960-15-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2960-26-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads