xmrig | 09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7

General

Target

09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe
Size

2.0MB
MD5

f702e5a6cc98f09ebda3a588b769f6fe
SHA1

6d724b4550382e1873b0795d857c357e13b4e2cc
SHA256

09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7
SHA512

a1edf5eff94a97872ac7320eef9ed4c73469b71b3f4332d2939a3396d79f691df69f8f3b8e7f0f66a1c2d8f5bdb2cb0cb08b20d57521083d5490603bf07616da
SSDEEP

49152:LwDUYeYdMMQfBeRgNGShJ4dKhsF3lMDtLyJ/IYBbOFxjqh/KKlUm3ee6:uNeYd6peRcGST4dKhI36DgfBbOFx2hC7

Score

10^/10

xmrig discovery miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/824-3-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/824-13-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4272-22-0x0000000000400000-0x0000000000582000-memory.dmp	xmrig
behavioral2/memory/4272-27-0x0000000025800000-0x0000000025993000-memory.dmp	xmrig
behavioral2/memory/4272-28-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig
behavioral2/memory/4272-37-0x0000000025B20000-0x0000000025CA2000-memory.dmp	xmrig
behavioral2/memory/4272-38-0x0000000000400000-0x0000000000A7A000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
4272	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/824-0-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx
behavioral2/files/0x0008000000023c79-12.dat	upx
behavioral2/memory/4272-14-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
824	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4272	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe
Token: SeLockMemoryPrivilege	4272	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
824	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe
4272	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 4272	824	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe	84
PID 824 wrote to memory of 4272	824	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe	84
PID 824 wrote to memory of 4272	824	09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe	84

C:\Users\Admin\AppData\Local\Temp\09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe
"C:\Users\Admin\AppData\Local\Temp\09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe
  C:\Users\Admin\AppData\Local\Temp\09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09d7119f92f5c9e380762ffb759340b6c8690da1d7a35ebeed1b8f765ebe65e7.exe

Filesize
2.0MB

MD5
130f8b0efc1f3720048d35262ca45c41

SHA1
075c8e4afab03f54e288cf64964ab24c03d7cf06

SHA256
c8f8372bf97dbe6f602856f850bb8432fa6523eb9c6316c8514d8f4c97027804

SHA512
871ad44b73d6a5d2c55bdc2160fa23fb4783ba34c63c5c7d6da625e2c22b7e6a84c68887691c0ea4bdf7ef62552136c09ee257a1f1d3adfaa7f97aa503ecd117

Download Submit
memory/824-0-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/824-1-0x0000000021E20000-0x0000000021FBE000-memory.dmp

Filesize
1.6MB

Download
memory/824-3-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/824-13-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4272-14-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/4272-15-0x0000000021E20000-0x0000000021FBE000-memory.dmp

Filesize
1.6MB

Download
memory/4272-22-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/4272-27-0x0000000025800000-0x0000000025993000-memory.dmp

Filesize
1.6MB

Download
memory/4272-28-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/4272-37-0x0000000025B20000-0x0000000025CA2000-memory.dmp

Filesize
1.5MB

Download
memory/4272-38-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing