xmrig | e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0

General

Target

e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0.exe
Size

2.8MB
MD5

426e1b179cae02991c22d7a3c7ce5704
SHA1

30717d2788c1d25fd60bee0182d0499f15d802f0
SHA256

e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0
SHA512

9a32d87fe313d67884a6527780b4489f49a3514b135a56a344044079b8d0ca5f51ef47b7cfd064af90e2667a4f2830478fa6b1394ce827851791561d34d66338
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1Vr5s1PTleLWrJ5O1xO:NAB3

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/2220-15-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-16-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-17-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-18-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-19-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-20-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-21-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-22-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-23-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-24-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-25-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig
behavioral1/memory/2220-26-0x000000013FE20000-0x0000000140212000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
932	powershell.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-15-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-16-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-17-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-18-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-19-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-20-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-21-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-22-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-23-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-24-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-25-0x000000013FE20000-0x0000000140212000-memory.dmp	upx
behavioral1/memory/2220-26-0x000000013FE20000-0x0000000140212000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
932	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2220	e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0.exe
Token: SeLockMemoryPrivilege	2220	e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0.exe
Token: SeDebugPrivilege	932	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 932	2220	e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0.exe	30
PID 2220 wrote to memory of 932	2220	e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0.exe	30
PID 2220 wrote to memory of 932	2220	e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0.exe	30

C:\Users\Admin\AppData\Local\Temp\e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0.exe
"C:\Users\Admin\AppData\Local\Temp\e6b46989850611a2c48328687b17b82225cdbf8410a2c140c430a959bfff7bb0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-14-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/932-6-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/932-13-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/932-7-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/932-8-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/932-9-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/932-10-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/932-11-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/932-12-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-26-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-20-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2220-0-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-17-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-18-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-19-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-16-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-21-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-22-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-23-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-24-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-25-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download
memory/2220-15-0x000000013FE20000-0x0000000140212000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing