xmrig | 6fc7bfc186b8207bcb43a0b012cf8aaa20b9c59ba3582ee48635044abaa1598e

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2023 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6.0MB
MD5

66055eb5779265037160e80546c6de3d
SHA1

49d3ac6f095af87c2940b16f52f1c72b81646b0d
SHA256

6fc7bfc186b8207bcb43a0b012cf8aaa20b9c59ba3582ee48635044abaa1598e
SHA512

a315bc889e9f629dd0bb0c8a376ee29f3fcd25706a2ad0511db1292e5d18b76392e857b4db1010b2b1ce6d7ea1f81d94b6dcbcbdd565d456565fa2a36aa152fc
SSDEEP

98304:wUQqpYQUHxoPmuVk77pC9RwQic/WkkQldxy6Qn3g64UFkcSJNsPGw7Wb/DibBZNY:wjqi+PS7Qf+OdkExPTpUC+Gwqb/DiNzY

Score

10^/10

xmrig miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1284 created 3112 1284 tmp.exe Explorer.EXE
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 1284 created 3112	1284	tmp.exe	Explorer.EXE

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3928-47-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-48-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-49-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-51-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-52-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-53-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-54-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-55-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-56-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3928-57-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

VCDDaemon.exe

pid process

1444 VCDDaemon.exe
Loads dropped DLL 3 IoCs

Processes:

VCDDaemon.exe

pid process

1444 VCDDaemon.exe
1444 VCDDaemon.exe
1444 VCDDaemon.exe

pid	process
1444	VCDDaemon.exe

pid	process
1444	VCDDaemon.exe
1444	VCDDaemon.exe
1444	VCDDaemon.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

VCDDaemon.execmd.exeMSBuild.exe

description	pid	process	target process
PID 1444 set thread context of 3924	1444	VCDDaemon.exe	cmd.exe
PID 3924 set thread context of 2256	3924	cmd.exe	MSBuild.exe
PID 2256 set thread context of 3928	2256	MSBuild.exe	ngen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tmp.exeVCDDaemon.execmd.exeMSBuild.exe

pid process

1284 tmp.exe
1284 tmp.exe
1444 VCDDaemon.exe
1444 VCDDaemon.exe
3924 cmd.exe
3924 cmd.exe
2256 MSBuild.exe
2256 MSBuild.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

684
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

VCDDaemon.execmd.exe

pid process

1444 VCDDaemon.exe
3924 cmd.exe
3924 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MSBuild.exengen.exe

description pid process

Token: SeDebugPrivilege 2256 MSBuild.exe
Token: SeLockMemoryPrivilege 3928 ngen.exe
Token: SeLockMemoryPrivilege 3928 ngen.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ngen.exe

pid process

3928 ngen.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

1284 tmp.exe
1284 tmp.exe

pid	process
1284	tmp.exe
1284	tmp.exe
1444	VCDDaemon.exe
1444	VCDDaemon.exe
3924	cmd.exe
3924	cmd.exe
2256	MSBuild.exe
2256	MSBuild.exe

pid	process
684

pid	process
1444	VCDDaemon.exe
3924	cmd.exe
3924	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2256	MSBuild.exe
Token: SeLockMemoryPrivilege	3928	ngen.exe
Token: SeLockMemoryPrivilege	3928	ngen.exe

pid	process
3928	ngen.exe

pid	process
1284	tmp.exe
1284	tmp.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

tmp.exeVCDDaemon.execmd.exeMSBuild.exe

description	pid	process	target process
PID 1284 wrote to memory of 1444	1284	tmp.exe	VCDDaemon.exe
PID 1284 wrote to memory of 1444	1284	tmp.exe	VCDDaemon.exe
PID 1284 wrote to memory of 1444	1284	tmp.exe	VCDDaemon.exe
PID 1444 wrote to memory of 3924	1444	VCDDaemon.exe	cmd.exe
PID 1444 wrote to memory of 3924	1444	VCDDaemon.exe	cmd.exe
PID 1444 wrote to memory of 3924	1444	VCDDaemon.exe	cmd.exe
PID 1444 wrote to memory of 3924	1444	VCDDaemon.exe	cmd.exe
PID 3924 wrote to memory of 2256	3924	cmd.exe	MSBuild.exe
PID 3924 wrote to memory of 2256	3924	cmd.exe	MSBuild.exe
PID 3924 wrote to memory of 2256	3924	cmd.exe	MSBuild.exe
PID 3924 wrote to memory of 2256	3924	cmd.exe	MSBuild.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe
PID 2256 wrote to memory of 3928	2256	MSBuild.exe	ngen.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe --donate-level 1 -o de.zephyr.herominers.com:1123 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p workwork -a rx/0 -k --max-cpu-usage=50
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1a77ba2a

Filesize
2.1MB

MD5
b77f98ca6f36b53c6d3e15b785b67a40

SHA1
c794ba588290782db0429f9aff95bd79a25f2eb0

SHA256
1f2daedfbe7f1db325efcab246bcc143f059ccb53a018d262091ad48cb56240f

SHA512
b4997db2a5329fdf878d66f67c1d653b7f607853c450c3a0df801cf1d6856a73037ec52fc149526d5e34ce953f43200c39aa42bb5c590869ce7796380dea65b2

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyCDIO.dll

Filesize
93KB

MD5
5abcd9f2323d7e4ac51728cc32f17cc6

SHA1
b226b10309a38cb1e30a00bce541cbf62e3dc0e0

SHA256
cff34dfd4251c22458f73674e6d2e1ca4c38a2ca7d69491db291e89c929d823b

SHA512
3b87c46047611fb491e82b6903694567965fc475337c437098b124679b231bfe47add75537fef26c78d8b87844700eca414c4d9e3f5a065d7f54286cb4f69254

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyCDIO.dll

Filesize
93KB

MD5
5abcd9f2323d7e4ac51728cc32f17cc6

SHA1
b226b10309a38cb1e30a00bce541cbf62e3dc0e0

SHA256
cff34dfd4251c22458f73674e6d2e1ca4c38a2ca7d69491db291e89c929d823b

SHA512
3b87c46047611fb491e82b6903694567965fc475337c437098b124679b231bfe47add75537fef26c78d8b87844700eca414c4d9e3f5a065d7f54286cb4f69254

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyCDIO.dll

Filesize
93KB

MD5
5abcd9f2323d7e4ac51728cc32f17cc6

SHA1
b226b10309a38cb1e30a00bce541cbf62e3dc0e0

SHA256
cff34dfd4251c22458f73674e6d2e1ca4c38a2ca7d69491db291e89c929d823b

SHA512
3b87c46047611fb491e82b6903694567965fc475337c437098b124679b231bfe47add75537fef26c78d8b87844700eca414c4d9e3f5a065d7f54286cb4f69254

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyVCD.dll

Filesize
130KB

MD5
aa490720cd3c26eff6e6fbe9601673a5

SHA1
e97dbbd6b37bff2c700e1ce967cf6612fddfbd41

SHA256
349b4dfa1e93144b010affba926663264288a5cfcb7b305320f466b2551b93df

SHA512
fb2347bd7d6f0408235f30468886da8e4ec4790058ed70dbb28a4080b399a9b55902aa33756209cb3ed8579347ca69d484cb12f6e7ef0120246c3ac37ef98647

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyVCD.dll

Filesize
130KB

MD5
aa490720cd3c26eff6e6fbe9601673a5

SHA1
e97dbbd6b37bff2c700e1ce967cf6612fddfbd41

SHA256
349b4dfa1e93144b010affba926663264288a5cfcb7b305320f466b2551b93df

SHA512
fb2347bd7d6f0408235f30468886da8e4ec4790058ed70dbb28a4080b399a9b55902aa33756209cb3ed8579347ca69d484cb12f6e7ef0120246c3ac37ef98647

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe

Filesize
86KB

MD5
3bd79a1f6d2ea0fddea3f8914b2a6a0c

SHA1
3ea3f44f81b3501e652b448a7dc33a8ee739772e

SHA256
332e6806eff846a2e6d0dc04a70d3503855dabfa83e6ec27f37e2d9103e80e51

SHA512
7bbb3f3af90443803f7689c973a64f894fb48bd744ab0c70af7dfa7c763354dc6f67a7fbb7053d38b0c6611b0aaa532e73eb2579c1445b8a31c573f8bf972a67

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe

Filesize
86KB

MD5
3bd79a1f6d2ea0fddea3f8914b2a6a0c

SHA1
3ea3f44f81b3501e652b448a7dc33a8ee739772e

SHA256
332e6806eff846a2e6d0dc04a70d3503855dabfa83e6ec27f37e2d9103e80e51

SHA512
7bbb3f3af90443803f7689c973a64f894fb48bd744ab0c70af7dfa7c763354dc6f67a7fbb7053d38b0c6611b0aaa532e73eb2579c1445b8a31c573f8bf972a67

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\poppet.eps

Filesize
1.8MB

MD5
d0a7fae3a0fdae716c76300adf70b2bb

SHA1
5be0788226f428dcc66de7aa4dce5d8eeb832d8e

SHA256
f1d7eb55fcaf9a6f71316559e33d40682f47ce3c0b1c1ff4908c71ca1015c9ed

SHA512
1306f6fba2386a31dffb80297a089285f3045b1c19950a1068a5a3103f06467cda71650c23efc0ba59fd3e35482d1fe362f7713e2f8da965fed97151f85cd5a1

Download Submit
memory/1284-14-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/1284-0-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/1284-4-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/1284-2-0x00007FFE895B0000-0x00007FFE897A5000-memory.dmp

Filesize
2.0MB

Download
memory/1284-25-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/1284-1-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/1444-20-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/1444-22-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/1444-23-0x00007FFE895B0000-0x00007FFE897A5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-24-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/1444-26-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/2256-43-0x000001E3371B0000-0x000001E3371C0000-memory.dmp

Filesize
64KB

Download
memory/2256-62-0x00007FFE68E20000-0x00007FFE698E1000-memory.dmp

Filesize
10.8MB

Download
memory/2256-36-0x00007FFE698F0000-0x00007FFE6AF67000-memory.dmp

Filesize
22.5MB

Download
memory/2256-39-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2256-40-0x00007FFE68E20000-0x00007FFE698E1000-memory.dmp

Filesize
10.8MB

Download
memory/2256-41-0x000001E3371B0000-0x000001E3371C0000-memory.dmp

Filesize
64KB

Download
memory/2256-42-0x00007FFE68E20000-0x00007FFE698E1000-memory.dmp

Filesize
10.8MB

Download
memory/3924-32-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/3924-33-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/3924-35-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/3924-28-0x0000000074840000-0x00000000749BB000-memory.dmp

Filesize
1.5MB

Download
memory/3924-30-0x00007FFE895B0000-0x00007FFE897A5000-memory.dmp

Filesize
2.0MB

Download
memory/3928-47-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-49-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-50-0x000001A34C6E0000-0x000001A34C700000-memory.dmp

Filesize
128KB

Download
memory/3928-51-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-52-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-53-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-54-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-55-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-56-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-57-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3928-48-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download