xmrig | 45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527

General

Target

45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe
Size

2.0MB
MD5

a97b6746f1ce8a30eac89f1da5b63c2b
SHA1

fc8ba154e86858a5189e3f88867c8e556ab4b3bb
SHA256

45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527
SHA512

a5fc95664a8c3e07995cd21cb9740ae10c16fbeb5420d654febe3e9f5a44a24be6528b5f06136df71a09535a7d64de3c216a0bbbbbc2ec92bd16c40bacf87b97
SSDEEP

49152:fHmvdIGTEpY0QwnZ9d1a6cMHOPp/98XZhYI8M1zyqkJOctvh/KKlUm3eeu:fwCzY0Qwnto6tuPJMJx1z9kJOctvhC0u

Score

10^/10

xmrig discovery miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/780-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/780-13-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/768-22-0x0000000000400000-0x0000000000582000-memory.dmp	xmrig
behavioral2/memory/768-27-0x0000000025760000-0x00000000258F3000-memory.dmp	xmrig
behavioral2/memory/768-28-0x0000000025A80000-0x0000000025C02000-memory.dmp	xmrig
behavioral2/memory/768-29-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig
behavioral2/memory/768-38-0x0000000000400000-0x0000000000A7A000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
768	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe

Executes dropped EXE 1 IoCs

pid	Process
768	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/780-0-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx
behavioral2/files/0x000a000000023cad-12.dat	upx
behavioral2/memory/768-14-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
780	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	768	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe
Token: SeLockMemoryPrivilege	768	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
780	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe
768	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 768	780	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe	84
PID 780 wrote to memory of 768	780	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe	84
PID 780 wrote to memory of 768	780	45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe	84

C:\Users\Admin\AppData\Local\Temp\45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe
"C:\Users\Admin\AppData\Local\Temp\45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe
  C:\Users\Admin\AppData\Local\Temp\45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45ade20fe8842cae3aecaba9f996fae72526f7d6554e967ce6f6d6644afdc527.exe

Filesize
2.0MB

MD5
e652943f869d81ddced15cd3e4931ed0

SHA1
613053519be1f96c302e477d53a1257df3059f12

SHA256
b1ecf487f8970baaa63ca5604beb5c7f86845ccdd47ab713201c00428bdbb59d

SHA512
dbed387d09749752ee34d1f94c44d7b4f09625b7936f1d0a7210dca691a173e2e18d7d141e98a1545e441b8c9be840d0b38e1c5efa334d419a2f5fcdb043a4f7

Download Submit
memory/768-14-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/768-15-0x0000000021D80000-0x0000000021F1E000-memory.dmp

Filesize
1.6MB

Download
memory/768-22-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/768-27-0x0000000025760000-0x00000000258F3000-memory.dmp

Filesize
1.6MB

Download
memory/768-28-0x0000000025A80000-0x0000000025C02000-memory.dmp

Filesize
1.5MB

Download
memory/768-29-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/768-38-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/780-0-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/780-1-0x0000000021E10000-0x0000000021FAE000-memory.dmp

Filesize
1.6MB

Download
memory/780-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/780-13-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing