xmrig | d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201

General

Target

943590af47af06d1bca1570bc116b25d.exe
Size

5.0MB
MD5

943590af47af06d1bca1570bc116b25d
SHA1

53eeb46310d02859984c6fa0787c5e6e3a274198
SHA256

d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201
SHA512

c3604262bcddc1bd092e29c17527d14f445ece56845b7a1596c735140a5590f947bc5796492f74fa1c673d3deeb69066de25a8ecd5f879ef6e15c44f0cf1f773
SSDEEP

98304:onw0oQREXMrEuBiq3gDkbAFcRWhgJsJpZqegs7eCCV2M8mrSrkFcQ7t0ZgpPpY:onw0BREX3kookFrKuAA7mV2M8CUKcW0F

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4612-16-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4612-19-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4612-22-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4612-23-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4612-21-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

qsjxfirefkza.exe

pid process

1168 qsjxfirefkza.exe
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4620 powercfg.exe
540 powercfg.exe
3928 powercfg.exe
2084 powercfg.exe
3348 powercfg.exe
372 powercfg.exe
2220 powercfg.exe
3496 powercfg.exe

pid	process
1168	qsjxfirefkza.exe

pid	process
4620	powercfg.exe
540	powercfg.exe
3928	powercfg.exe
2084	powercfg.exe
3348	powercfg.exe
372	powercfg.exe
2220	powercfg.exe
3496	powercfg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

qsjxfirefkza.exe

description	pid	process	target process
PID 1168 set thread context of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 set thread context of 4612	1168	qsjxfirefkza.exe	explorer.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4612-11-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-13-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-14-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-16-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-15-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-12-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-17-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-19-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-22-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-23-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-21-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-24-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-26-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-27-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4612-28-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2760 sc.exe
4408 sc.exe
3336 sc.exe
4788 sc.exe

pid	process
2760	sc.exe
4408	sc.exe
3336	sc.exe
4788	sc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

943590af47af06d1bca1570bc116b25d.exeqsjxfirefkza.exe

pid	process
4304	943590af47af06d1bca1570bc116b25d.exe
4304	943590af47af06d1bca1570bc116b25d.exe
4304	943590af47af06d1bca1570bc116b25d.exe
4304	943590af47af06d1bca1570bc116b25d.exe
4304	943590af47af06d1bca1570bc116b25d.exe
4304	943590af47af06d1bca1570bc116b25d.exe
4304	943590af47af06d1bca1570bc116b25d.exe
4304	943590af47af06d1bca1570bc116b25d.exe
1168	qsjxfirefkza.exe
1168	qsjxfirefkza.exe
1168	qsjxfirefkza.exe
1168	qsjxfirefkza.exe
1168	qsjxfirefkza.exe
1168	qsjxfirefkza.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3496	powercfg.exe
Token: SeCreatePagefilePrivilege	3496	powercfg.exe
Token: SeShutdownPrivilege	3928	powercfg.exe
Token: SeCreatePagefilePrivilege	3928	powercfg.exe
Token: SeShutdownPrivilege	540	powercfg.exe
Token: SeCreatePagefilePrivilege	540	powercfg.exe
Token: SeShutdownPrivilege	4620	powercfg.exe
Token: SeCreatePagefilePrivilege	4620	powercfg.exe
Token: SeShutdownPrivilege	2220	powercfg.exe
Token: SeCreatePagefilePrivilege	2220	powercfg.exe
Token: SeShutdownPrivilege	3348	powercfg.exe
Token: SeCreatePagefilePrivilege	3348	powercfg.exe
Token: SeShutdownPrivilege	372	powercfg.exe
Token: SeCreatePagefilePrivilege	372	powercfg.exe
Token: SeShutdownPrivilege	2084	powercfg.exe
Token: SeCreatePagefilePrivilege	2084	powercfg.exe
Token: SeLockMemoryPrivilege	4612	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

qsjxfirefkza.exe

description	pid	process	target process
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 616	1168	qsjxfirefkza.exe	conhost.exe
PID 1168 wrote to memory of 4612	1168	qsjxfirefkza.exe	explorer.exe
PID 1168 wrote to memory of 4612	1168	qsjxfirefkza.exe	explorer.exe
PID 1168 wrote to memory of 4612	1168	qsjxfirefkza.exe	explorer.exe
PID 1168 wrote to memory of 4612	1168	qsjxfirefkza.exe	explorer.exe
PID 1168 wrote to memory of 4612	1168	qsjxfirefkza.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\943590af47af06d1bca1570bc116b25d.exe
"C:\Users\Admin\AppData\Local\Temp\943590af47af06d1bca1570bc116b25d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VJAODQWN"
2⤵
- Launches sc.exe
PID:2760

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VJAODQWN" binpath= "C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe" start= "auto"
2⤵
- Launches sc.exe
PID:4408

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:3336

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VJAODQWN"
2⤵
- Launches sc.exe
PID:4788

C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe
C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:616

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

Power Settings

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe

Filesize
5.0MB

MD5
943590af47af06d1bca1570bc116b25d

SHA1
53eeb46310d02859984c6fa0787c5e6e3a274198

SHA256
d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201

SHA512
c3604262bcddc1bd092e29c17527d14f445ece56845b7a1596c735140a5590f947bc5796492f74fa1c673d3deeb69066de25a8ecd5f879ef6e15c44f0cf1f773

Download Submit
C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe

Filesize
4.8MB

MD5
01604a20bc5092a30433bbef6951988e

SHA1
69b0847efe2c294373d3fdb7c0dfed740c7cd664

SHA256
00e23842ac0e8d97dc680cfe2d00b602081b5c409d68faacbf6de4652f979af7

SHA512
1a9a37f84cc82afd39d3f65498751f1c598bec127e3dcadba81afa8af8b2ceaffc426fa9636b44bc2c62436271364e4f3ef0812d24cc7af5ba7862f2051dcb8f

Download Submit
memory/616-5-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/616-7-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/616-6-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/616-10-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/616-3-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/616-4-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4612-13-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-22-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-15-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-12-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-16-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-14-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-11-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-17-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-19-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-18-0x0000000000ED0000-0x0000000000EF0000-memory.dmp

Filesize
128KB

Download
memory/4612-20-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-23-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-21-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-24-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-26-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-27-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4612-28-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads