xmrig | b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-11-2022 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe
Size

1.7MB
MD5

27b284fab61afb4e351edbcbd930aa3f
SHA1

06d1988f308245688c337c1e4751cf3c262a02ba
SHA256

b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6
SHA512

07f40ee220eaf4f27a58d6389496694de8aebbfe3f5b588988349a68b1192faca4cd7fd81eb9f17bf3836e786381f1865658b65bc06942dff495736d0b08f3b3
SSDEEP

49152:PvKK9gn45q8P+D48aQ5QhRPjkNtJeLHkJkQ:PWoetJeDE

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/1612-71-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-73-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-75-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-76-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-78-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-80-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-81-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-83-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-85-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-86-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/1612-88-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-90-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1612-92-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
840	DBJYPFS.exe

Loads dropped DLL 1 IoCs

pid	Process
1724	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 1612	840	DBJYPFS.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1768	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1700	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
840	DBJYPFS.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe
Token: SeDebugPrivilege	840	DBJYPFS.exe
Token: SeLockMemoryPrivilege	1612	vbc.exe
Token: SeLockMemoryPrivilege	1612	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1612	vbc.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1724	1964	b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe	28
PID 1964 wrote to memory of 1724	1964	b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe	28
PID 1964 wrote to memory of 1724	1964	b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe	28
PID 1724 wrote to memory of 1700	1724	cmd.exe	30
PID 1724 wrote to memory of 1700	1724	cmd.exe	30
PID 1724 wrote to memory of 1700	1724	cmd.exe	30
PID 1724 wrote to memory of 840	1724	cmd.exe	31
PID 1724 wrote to memory of 840	1724	cmd.exe	31
PID 1724 wrote to memory of 840	1724	cmd.exe	31
PID 840 wrote to memory of 1992	840	DBJYPFS.exe	32
PID 840 wrote to memory of 1992	840	DBJYPFS.exe	32
PID 840 wrote to memory of 1992	840	DBJYPFS.exe	32
PID 1992 wrote to memory of 1768	1992	cmd.exe	34
PID 1992 wrote to memory of 1768	1992	cmd.exe	34
PID 1992 wrote to memory of 1768	1992	cmd.exe	34
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36
PID 840 wrote to memory of 1612	840	DBJYPFS.exe	36

C:\Users\Admin\AppData\Local\Temp\b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe
"C:\Users\Admin\AppData\Local\Temp\b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFE7C.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1700
- - C:\ProgramData\AppsWin\DBJYPFS.exe
    "C:\ProgramData\AppsWin\DBJYPFS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DBJYPFS" /tr "C:\ProgramData\AppsWin\DBJYPFS.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DBJYPFS" /tr "C:\ProgramData\AppsWin\DBJYPFS.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4AAvbZFu6CJe2k13FgFmnDWHasLSbsKpXNumeQrWnZU8gpV9dURkEmJYtTYSohPLrCYA8bBN5PJRWbo1qgLuzpyNApcPYRh --tls --coin monero
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AppsWin\DBJYPFS.exe

Filesize
1.7MB

MD5
27b284fab61afb4e351edbcbd930aa3f

SHA1
06d1988f308245688c337c1e4751cf3c262a02ba

SHA256
b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6

SHA512
07f40ee220eaf4f27a58d6389496694de8aebbfe3f5b588988349a68b1192faca4cd7fd81eb9f17bf3836e786381f1865658b65bc06942dff495736d0b08f3b3

Download Submit
C:\ProgramData\AppsWin\DBJYPFS.exe

Filesize
1.7MB

MD5
27b284fab61afb4e351edbcbd930aa3f

SHA1
06d1988f308245688c337c1e4751cf3c262a02ba

SHA256
b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6

SHA512
07f40ee220eaf4f27a58d6389496694de8aebbfe3f5b588988349a68b1192faca4cd7fd81eb9f17bf3836e786381f1865658b65bc06942dff495736d0b08f3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE7C.tmp.bat

Filesize
143B

MD5
e623478017821c71c3c96f1cf3efe04a

SHA1
5b8f1b8b822e2c228e873ba496eac7181ecb2e58

SHA256
ce1db21f295fb01a56450bf0b70d18b375764caf704691d390d98643fbad0df5

SHA512
6c840d83eb74e52992c9e95e4bf8e4b8ffc821ff49e54c6cee051f6dbdb56834b3f0e50a22a0efbcab44fbefc75ee3e777b1a75d820c5b56ee9639af923a8ac0

Download Submit
\ProgramData\AppsWin\DBJYPFS.exe

Filesize
1.7MB

MD5
27b284fab61afb4e351edbcbd930aa3f

SHA1
06d1988f308245688c337c1e4751cf3c262a02ba

SHA256
b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6

SHA512
07f40ee220eaf4f27a58d6389496694de8aebbfe3f5b588988349a68b1192faca4cd7fd81eb9f17bf3836e786381f1865658b65bc06942dff495736d0b08f3b3

Download Submit
memory/840-63-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/840-62-0x0000000000C00000-0x0000000000DAA000-memory.dmp

Filesize
1.7MB

Download
memory/1612-69-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-76-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-93-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1612-92-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-91-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1612-66-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-67-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-89-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/1612-71-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-73-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-75-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-90-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-78-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-80-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-81-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-83-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-85-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1612-88-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1964-54-0x0000000000060000-0x000000000020A000-memory.dmp

Filesize
1.7MB

Download