xmrig | b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4

General

Target

b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4.exe
Size

1.7MB
MD5

d34bff5f145e0e6b33fc13ca2ce1fa3c
SHA1

b086fbb884e0ac90816546bdebeb25d2d2db001c
SHA256

b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4
SHA512

ec1be587311f964b46c3f2f3c4563d834e0d1a5cf9cfb02e0e4cab766e06c0649c2c07ffc8d48159a8958fd17ba7c8a12d4ad372aac6872840b52a1daf5c8d7b
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWYlZ3pBjqlx7TovQmVV4dThen9zj:Lz071uv4BPMkibTIA5lCx7kvRWa4pXex

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/2908-14-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-15-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-16-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-17-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-18-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-19-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-20-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-21-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-22-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-23-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-24-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig
behavioral1/memory/2908-25-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2428	powershell.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2908-0-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-14-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-15-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-16-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-17-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-18-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-19-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-20-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-21-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-22-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-23-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-24-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx
behavioral1/memory/2908-25-0x000000013F4B0000-0x000000013F8A2000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2908	b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4.exe
Token: SeLockMemoryPrivilege	2908	b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4.exe
Token: SeDebugPrivilege	2428	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2428	2908	b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4.exe	31
PID 2908 wrote to memory of 2428	2908	b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4.exe	31
PID 2908 wrote to memory of 2428	2908	b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4.exe	31

C:\Users\Admin\AppData\Local\Temp\b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4.exe
"C:\Users\Admin\AppData\Local\Temp\b9b92d6212eb268a9be647493b79131bf6a1ccd6c3d2388510f27e07d7510de4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-12-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2428-13-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2428-6-0x000007FEF551E000-0x000007FEF551F000-memory.dmp

Filesize
4KB

Download
memory/2428-7-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2428-8-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2428-10-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2428-9-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2428-11-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2908-14-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-19-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-0-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-15-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-16-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-17-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-18-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2908-20-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-21-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-22-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-23-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-24-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download
memory/2908-25-0x000000013F4B0000-0x000000013F8A2000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing