xmrig | 75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6

General

Target

75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6.exe
Size

2.4MB
MD5

59efa0fa2342651aadcef6296d61fd6c
SHA1

f0be0a96d27d08df1c531c3aed0527b03147617a
SHA256

75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6
SHA512

a1984a8788e16dfacb806bdb1145b5619f4e743ff1701e5b755acc6a71945a922db91b9bd4694eee337561e91de654462c5019edf43b38b5409c5f2ffbfccf4a
SSDEEP

49152:7It2MHY5CN3cknRo0AzjuOShOI0czcvdJD3yT3xEnEAJsC:7IHskR5AjdmGcM7EGnvsC

Score

10^/10

xmrig discovery miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023cc3-20.dat	family_xmrig
behavioral2/files/0x0007000000023cc3-20.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6.exe

Executes dropped EXE 4 IoCs

pid	Process
1704	nssm.exe
2392	nssm.exe
2740	nssm.exe
3196	xmrig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3196	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3196	xmrig.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2372	5092	75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6.exe	85
PID 5092 wrote to memory of 2372	5092	75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6.exe	85
PID 5092 wrote to memory of 2372	5092	75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6.exe	85
PID 2372 wrote to memory of 1704	2372	cmd.exe	87
PID 2372 wrote to memory of 1704	2372	cmd.exe	87
PID 2372 wrote to memory of 2392	2372	cmd.exe	88
PID 2372 wrote to memory of 2392	2372	cmd.exe	88
PID 2740 wrote to memory of 3196	2740	nssm.exe	91
PID 2740 wrote to memory of 3196	2740	nssm.exe	91

C:\Users\Admin\AppData\Local\Temp\75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6.exe
"C:\Users\Admin\AppData\Local\Temp\75c391fa684eaf67b853c3097c686bfb788e3b8195d16ef61ddaab10557221d6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Sunlogin_svc\start.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - \??\c:\Sunlogin_svc\nssm.exe
    nssm install Sunlogin_svc xmrig.exe
    3⤵
    - Executes dropped EXE
    PID:1704
- - \??\c:\Sunlogin_svc\nssm.exe
    nssm start Sunlogin_svc
    3⤵
    - Executes dropped EXE
    PID:2392

\??\c:\Sunlogin_svc\nssm.exe
c:\Sunlogin_svc\nssm.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740
- \??\c:\Sunlogin_svc\xmrig.exe
  "xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Sunlogin_svc\nssm.exe

Filesize
323KB

MD5
beceae2fdc4f7729a93e94ac2ccd78cc

SHA1
47c112c23c7bdf2af24a20bd512f91ff6af76bc6

SHA256
f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97

SHA512
073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f

Download Submit
C:\Sunlogin_svc\start.bat

Filesize
60B

MD5
c5aa4d8fc861086d7d4ca18e3c344e53

SHA1
3c7f2c837712841a1c53561b8581b7c80f3db597

SHA256
12a32ec5fc8ddf7b9cca0c2b9bfbd0f4c61c5629c81656546b0a6ce748937f5a

SHA512
389911390c110cf1508fc226768835c45736899606fe7b847226f6b1d839be9854f09eadf9e4a6d8b5ef5d07297dfe09360284d3ba88eae93cbfbdfb08abdb02

Download Submit
\??\c:\Sunlogin_svc\config.json

Filesize
2KB

MD5
843463aba84f6dd253ac9bf9a3973797

SHA1
8525330b2ce7ef45b7b37c6b8224ccc52d30e32f

SHA256
038a081657cfbed3c07d3e9f1c80ea78abe0b25829172dba40c5b9bb663d2537

SHA512
aa1cbcf45cd29d91940d85b385502380d96324f89ccd01d4c287e6d61523ca783e65e791bca9828ffe38a989d3e8bb85f446ddae86c230b697d31c24202bb04f

Download Submit
\??\c:\Sunlogin_svc\xmrig.exe

Filesize
6.1MB

MD5
f6d520ae125f03056c4646c508218d16

SHA1
f65e63d14dd57eadb262deaa2b1a8a965a2a962c

SHA256
d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1

SHA512
d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d

Download Submit
memory/3196-21-0x000001CB6D340000-0x000001CB6D360000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing