xmrig | 296c6e0be426330f2c3e4ad922bfe2a8611707e472e2bc44e2a34fc6649d817a

General

Target

5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe
Size

22.4MB
MD5

aace2f404b58c132d732cc7c089beb13
SHA1

ad555d52a8e00835c34da7865551f5868eba2494
SHA256

5dfcc42914baca2ba754d7836500439f15f796a2566b415b6ca732311a07a5c4
SHA512

9ea1dca54dc44d8fd980c83e3966dc58e85745cd856599d5a76110b80d1d8dc56a83394d622f98dcfcfcf874e66c3f0690bef9de9be53c5336de685d829ed1a2
SSDEEP

393216:k0/oQErZFiA0BPeKyipOduNmF5j9fU1MuvZfZ+zwAFcNjkrHrjoGXE1sTLB:t/oFc9pGuNm7j1U7ZfZ+rcpkrXlXz3B

Score

10^/10

xmrig discovery miner

Malware Config

Signatures

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/1656-2-0x000000000D850000-0x000000001023C000-memory.dmp	xmrig
behavioral1/files/0x0006000000019470-13.dat	family_xmrig
behavioral1/files/0x0006000000019470-13.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.com.url	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	xmrig.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe
2928	xmrig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1656	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe
Token: SeLockMemoryPrivilege	2928	xmrig.exe
Token: SeLockMemoryPrivilege	2928	xmrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2928	1656	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe	29
PID 1656 wrote to memory of 2928	1656	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe	29
PID 1656 wrote to memory of 2928	1656	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe	29
PID 1656 wrote to memory of 2928	1656	5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe	29

C:\Users\Admin\AppData\Local\Temp\5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe
"C:\Users\Admin\AppData\Local\Temp\5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Roaming\xmrig.exe
  "C:\Users\Admin\AppData\Roaming\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\config.json

Filesize
5KB

MD5
35f276d70858135989a8a3135bea8ef8

SHA1
a0337b26583f9be3282a6bce8f4d45b324207325

SHA256
a4ca0580fe102fd24de0a40106c90b22a1134948e6a7b78d3f085f9ad8713898

SHA512
ed2e2d2a668b1e2fc8c6d9743a72a509a5d87c71072ba785d326fbb9208a3f425207c7717a1eab2821ed3435a758ff64605319be7bd3fd4ea4d2a69abbe6ca43

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig-cuda.dll

Filesize
19.2MB

MD5
ae366485bc6133ad280340231a2267a3

SHA1
759bfb1f8bfde63c0f4bea1d0de2d86b7b7ea7dd

SHA256
2849c6b88f80f2f5613bf75595dce4cc69627dde0227c8f96da89617ee810e37

SHA512
081e71056e22d58d080edfb551c576e1785646de9e5136582bf7ce8591da227943cd7b3357699a6afd8c1fab5008813289d7b7af813d9ee2ac8c1d53ab9e7bb8

Download Submit
\Users\Admin\AppData\Roaming\xmrig.exe

Filesize
4.5MB

MD5
0b85eae86038116041ecc8d24ba2fadb

SHA1
bcfeff8a7b42e8836b7dea9f6d594e14f6b25cec

SHA256
cd0dcc3d3aab1dc613cd5b1ea4d3a066ab20768c60babb1a4e79df9da9144218

SHA512
ef0b17ae8d533c209491358f09826ea7b0cb5e5d7a435b80f574916624070036d5fcf30eb35c0d5c33b49c134f471734efdaef5154de51b1ce600b4fe51b9744

Download Submit
memory/1656-3-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1656-4-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/1656-16-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/1656-2-0x000000000D850000-0x000000001023C000-memory.dmp

Filesize
41.9MB

Download
memory/1656-1-0x0000000000C30000-0x00000000022A4000-memory.dmp

Filesize
22.5MB

Download
memory/1656-25-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-17-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2928-26-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/2928-27-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download
memory/2928-28-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/2928-29-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing