xmrig | 0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2023, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe
Size

946KB
MD5

0d1e3266a1bc3b62f0523e10b5170337
SHA1

2f32c53b63235f7a238a5fad1346a7b10e00a76c
SHA256

0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421
SHA512

47c618f8a569caa926768c15817a28b8c50a3d2f1878d2e6fa55ee56d0269e6be3a497a0eefed2b98b85f1c31a641875f0aba4b804c3afeb1cec388fe8128096
SSDEEP

24576:STsgfj7dVp7eo2otWoQ84thGKo20pyJST4Md9d11lB:lEdz7eo2iWorwGKyyJSPdzl

Score

10^/10

xmrig zgrat miner rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2308-13-0x000001AF69380000-0x000001AF69480000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/4296-49-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4296-50-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4296-51-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4296-53-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4296-54-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4296-55-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4296-56-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4296-57-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4296-58-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
4776	TypeId.exe
2460	TypeId.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1652 set thread context of 2308	1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe	89
PID 4776 set thread context of 2460	4776	TypeId.exe	91
PID 2460 set thread context of 3088	2460	TypeId.exe	92
PID 3088 set thread context of 4648	3088	RegAsm.exe	93
PID 4648 set thread context of 4296	4648	RegAsm.exe	95

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe
4776	TypeId.exe
3088	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe
4648	RegAsm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe
Token: SeDebugPrivilege	2308	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe
Token: SeDebugPrivilege	4776	TypeId.exe
Token: SeDebugPrivilege	2460	TypeId.exe
Token: SeDebugPrivilege	3088	RegAsm.exe
Token: SeDebugPrivilege	4648	RegAsm.exe
Token: SeLockMemoryPrivilege	4296	AddInProcess.exe
Token: SeLockMemoryPrivilege	4296	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4296	AddInProcess.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2308	1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe	89
PID 1652 wrote to memory of 2308	1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe	89
PID 1652 wrote to memory of 2308	1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe	89
PID 1652 wrote to memory of 2308	1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe	89
PID 1652 wrote to memory of 2308	1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe	89
PID 1652 wrote to memory of 2308	1652	0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe	89
PID 4776 wrote to memory of 2460	4776	TypeId.exe	91
PID 4776 wrote to memory of 2460	4776	TypeId.exe	91
PID 4776 wrote to memory of 2460	4776	TypeId.exe	91
PID 4776 wrote to memory of 2460	4776	TypeId.exe	91
PID 4776 wrote to memory of 2460	4776	TypeId.exe	91
PID 4776 wrote to memory of 2460	4776	TypeId.exe	91
PID 2460 wrote to memory of 3088	2460	TypeId.exe	92
PID 2460 wrote to memory of 3088	2460	TypeId.exe	92
PID 2460 wrote to memory of 3088	2460	TypeId.exe	92
PID 2460 wrote to memory of 3088	2460	TypeId.exe	92
PID 2460 wrote to memory of 3088	2460	TypeId.exe	92
PID 2460 wrote to memory of 3088	2460	TypeId.exe	92
PID 3088 wrote to memory of 4648	3088	RegAsm.exe	93
PID 3088 wrote to memory of 4648	3088	RegAsm.exe	93
PID 3088 wrote to memory of 4648	3088	RegAsm.exe	93
PID 3088 wrote to memory of 4648	3088	RegAsm.exe	93
PID 3088 wrote to memory of 4648	3088	RegAsm.exe	93
PID 3088 wrote to memory of 4648	3088	RegAsm.exe	93
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95
PID 4648 wrote to memory of 4296	4648	RegAsm.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe
"C:\Users\Admin\AppData\Local\Temp\0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe
  C:\Users\Admin\AppData\Local\Temp\0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2308

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
  C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RegAsm.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
946KB

MD5
0d1e3266a1bc3b62f0523e10b5170337

SHA1
2f32c53b63235f7a238a5fad1346a7b10e00a76c

SHA256
0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421

SHA512
47c618f8a569caa926768c15817a28b8c50a3d2f1878d2e6fa55ee56d0269e6be3a497a0eefed2b98b85f1c31a641875f0aba4b804c3afeb1cec388fe8128096

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
946KB

MD5
0d1e3266a1bc3b62f0523e10b5170337

SHA1
2f32c53b63235f7a238a5fad1346a7b10e00a76c

SHA256
0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421

SHA512
47c618f8a569caa926768c15817a28b8c50a3d2f1878d2e6fa55ee56d0269e6be3a497a0eefed2b98b85f1c31a641875f0aba4b804c3afeb1cec388fe8128096

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
946KB

MD5
0d1e3266a1bc3b62f0523e10b5170337

SHA1
2f32c53b63235f7a238a5fad1346a7b10e00a76c

SHA256
0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421

SHA512
47c618f8a569caa926768c15817a28b8c50a3d2f1878d2e6fa55ee56d0269e6be3a497a0eefed2b98b85f1c31a641875f0aba4b804c3afeb1cec388fe8128096

Download Submit
memory/1652-4-0x0000017C39970000-0x0000017C39A58000-memory.dmp

Filesize
928KB

Download
memory/1652-7-0x0000017C1F640000-0x0000017C1F68C000-memory.dmp

Filesize
304KB

Download
memory/1652-8-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/1652-9-0x0000017C39860000-0x0000017C39870000-memory.dmp

Filesize
64KB

Download
memory/1652-6-0x0000017C39B30000-0x0000017C39C00000-memory.dmp

Filesize
832KB

Download
memory/1652-5-0x0000017C39A60000-0x0000017C39B30000-memory.dmp

Filesize
832KB

Download
memory/1652-3-0x0000017C39750000-0x0000017C39838000-memory.dmp

Filesize
928KB

Download
memory/1652-0-0x0000017C1F160000-0x0000017C1F250000-memory.dmp

Filesize
960KB

Download
memory/1652-2-0x0000017C39860000-0x0000017C39870000-memory.dmp

Filesize
64KB

Download
memory/1652-15-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/1652-1-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/2308-14-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/2308-16-0x000001AF694D0000-0x000001AF694E0000-memory.dmp

Filesize
64KB

Download
memory/2308-22-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/2308-18-0x000001AF695E0000-0x000001AF69636000-memory.dmp

Filesize
344KB

Download
memory/2308-17-0x000001AF4F2E0000-0x000001AF4F2E8000-memory.dmp

Filesize
32KB

Download
memory/2308-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2308-19-0x000001AF69640000-0x000001AF69694000-memory.dmp

Filesize
336KB

Download
memory/2308-13-0x000001AF69380000-0x000001AF69480000-memory.dmp

Filesize
1024KB

Download
memory/2460-40-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/2460-35-0x00000213FCBF0000-0x00000213FCC00000-memory.dmp

Filesize
64KB

Download
memory/2460-38-0x00000213FCBF0000-0x00000213FCC00000-memory.dmp

Filesize
64KB

Download
memory/2460-33-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/2460-37-0x00000213FCBF0000-0x00000213FCC00000-memory.dmp

Filesize
64KB

Download
memory/3088-46-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/3088-39-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/3088-41-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/4296-54-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4296-52-0x0000021FDCED0000-0x0000021FDCEF0000-memory.dmp

Filesize
128KB

Download
memory/4296-55-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4296-59-0x0000021FDCF20000-0x0000021FDCF40000-memory.dmp

Filesize
128KB

Download
memory/4296-56-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4296-58-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4296-57-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4296-53-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4296-49-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4296-50-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4296-51-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4648-45-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/4648-48-0x00000170EBE00000-0x00000170EBE10000-memory.dmp

Filesize
64KB

Download
memory/4648-47-0x00000170EBE00000-0x00000170EBE10000-memory.dmp

Filesize
64KB

Download
memory/4648-60-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/4776-28-0x000002E53BF50000-0x000002E53BF60000-memory.dmp

Filesize
64KB

Download
memory/4776-34-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/4776-26-0x000002E53BF50000-0x000002E53BF60000-memory.dmp

Filesize
64KB

Download
memory/4776-25-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download
memory/4776-27-0x00007FFE943C0000-0x00007FFE94E81000-memory.dmp

Filesize
10.8MB

Download