xmrig | d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bb

General

Target

d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe
Size

2.0MB
MD5

252ff4ed5b4841d8c16c504bfc14a3e0
SHA1

e9321983d123bb1801ef06ea60998adc9c6ba8e4
SHA256

d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bb
SHA512

d9777d7a90468582ff8200ae874420b178d706f7fb3cdef4ec29fdeea01d050b89855cfdac9ad044f664a2432d4fbf3a8a36d04db5b3726e10cc137bc629f04f
SSDEEP

49152:Ipxp6QQ3GRnNx3kpYqns5+Kf44ftt8Cx25LUHoZvxxDGph/KKlUm3eea:Ipxp6Q9RnNx3kFnUDfnft/25LtZ5xDGs

Score

10^/10

xmrig discovery miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/1708-3-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1708-13-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/5084-22-0x0000000000400000-0x0000000000582000-memory.dmp	xmrig
behavioral2/memory/5084-27-0x00000000257E0000-0x0000000025973000-memory.dmp	xmrig
behavioral2/memory/5084-28-0x0000000025B00000-0x0000000025C82000-memory.dmp	xmrig
behavioral2/memory/5084-29-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig
behavioral2/memory/5084-38-0x0000000000400000-0x0000000000A7A000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
5084	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe

Executes dropped EXE 1 IoCs

pid	Process
5084	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1708-0-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx
behavioral2/memory/5084-14-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx
behavioral2/files/0x000b000000023b65-12.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1708	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5084	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe
Token: SeLockMemoryPrivilege	5084	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1708	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe
5084	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 5084	1708	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe	84
PID 1708 wrote to memory of 5084	1708	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe	84
PID 1708 wrote to memory of 5084	1708	d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe	84

C:\Users\Admin\AppData\Local\Temp\d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe
"C:\Users\Admin\AppData\Local\Temp\d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe
  C:\Users\Admin\AppData\Local\Temp\d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d166f4078c62833bf5dc22c5d3c7dd0913f32935271e1559c25517df80a7e9bbN.exe

Filesize
2.0MB

MD5
6d4b99847a935f6d7496decf605bbacb

SHA1
82b3c645ada112114213dd160d2a72952a688881

SHA256
e7ba50fb6c247a620797abdaca2180a887aa12031707fb0a4273a968efd6c608

SHA512
b39de77f402e775dc7cacede302ecf124e9a59ae9448c12c80ecc67cb36bcbe78b4bb7a95e334794d92255958b59019e0932a82be04de9673d30e06b53804286

Download Submit
memory/1708-0-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/1708-1-0x0000000021D20000-0x0000000021EBE000-memory.dmp

Filesize
1.6MB

Download
memory/1708-3-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1708-13-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/5084-14-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/5084-19-0x0000000021E00000-0x0000000021F9E000-memory.dmp

Filesize
1.6MB

Download
memory/5084-22-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/5084-27-0x00000000257E0000-0x0000000025973000-memory.dmp

Filesize
1.6MB

Download
memory/5084-28-0x0000000025B00000-0x0000000025C82000-memory.dmp

Filesize
1.5MB

Download
memory/5084-29-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5084-38-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing