xmrig | 216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0

General

Target

216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe
Size

5.3MB
MD5

f0615222efdb2699a7d869641bcf7eab
SHA1

e346c26ede7d5e6e97bc5f9578a3c7dc5853e4af
SHA256

216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0
SHA512

d0a817eeaa3ecd507e778fc1422a0989d116d0d635d976924681176e17e9d7a38f1d9963954def8892bf9483ba6de989595114e2da009281e2b2489796e34a16
SSDEEP

49152:+a2+8ZkbcfOPIMmuv2d2cWfGmsQZ0Wf8f8QlWuWzVjnbXGp8mih7NUfXUu4tEqN5:+aTX1HlUUdG/Mul2rq/aReDkizMeQUa

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/2260-0-0x0000000000270000-0x00000000007B4000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000c000000014b9a-16.dat	family_zgrat_v1
behavioral1/memory/2040-17-0x0000000000070000-0x00000000005B4000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000c000000014b9a-15.dat	family_zgrat_v1
behavioral1/files/0x000c000000014b9a-13.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/3004-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/3004-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/3004-33-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/3004-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/3004-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/3004-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/3004-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/3004-41-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2260-0-0x0000000000270000-0x00000000007B4000-memory.dmp	net_reactor
behavioral1/files/0x000c000000014b9a-16.dat	net_reactor
behavioral1/memory/2040-17-0x0000000000070000-0x00000000005B4000-memory.dmp	net_reactor
behavioral1/files/0x000c000000014b9a-15.dat	net_reactor
behavioral1/files/0x000c000000014b9a-13.dat	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
2040	OneDrive.exe

Loads dropped DLL 1 IoCs

pid	Process
2808	cmd.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3004-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3004-41-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2648	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2832	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe
Token: SeDebugPrivilege	2040	OneDrive.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2808	2260	216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe	28
PID 2260 wrote to memory of 2808	2260	216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe	28
PID 2260 wrote to memory of 2808	2260	216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe	28
PID 2808 wrote to memory of 2832	2808	cmd.exe	29
PID 2808 wrote to memory of 2832	2808	cmd.exe	29
PID 2808 wrote to memory of 2832	2808	cmd.exe	29
PID 2808 wrote to memory of 2040	2808	cmd.exe	30
PID 2808 wrote to memory of 2040	2808	cmd.exe	30
PID 2808 wrote to memory of 2040	2808	cmd.exe	30
PID 2040 wrote to memory of 2740	2040	OneDrive.exe	33
PID 2040 wrote to memory of 2740	2040	OneDrive.exe	33
PID 2040 wrote to memory of 2740	2040	OneDrive.exe	33
PID 2740 wrote to memory of 2648	2740	cmd.exe	32
PID 2740 wrote to memory of 2648	2740	cmd.exe	32
PID 2740 wrote to memory of 2648	2740	cmd.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe
"C:\Users\Admin\AppData\Local\Temp\216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp83DF.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2832
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      PID:3004

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
1⤵
- Creates scheduled task(s)
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
430KB

MD5
f2031116791c837a30a48f8cdda564fb

SHA1
a0e1c50bb6ad560220538706dd38866e95c0b1c7

SHA256
ed0f73af9cab2aff5f530fe39b38b6857cc59830178681599799f6d614358d95

SHA512
724979fcfece444ee8cfa8db167aa127ddcd2ddbc587fcc4ad0f02976f43cd308f969de0c0aae6ae9f348e6b5fd55025d1d48e52299315e5c794044c34ee7236

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
468KB

MD5
1cfeadfe0b185304878a07837512acdb

SHA1
0d9220dc42878d5c3a24d5b99035924ff156582c

SHA256
d81d59b40eb08d1750f7563bd5cc36c25cd57719c4a190c92ca8d8c60b99c45e

SHA512
4aa5db4d3437da42ceeacb65db541be0c854aaf1eb3668076f50c02ede3af8f9cfed5a07bf1cbf39502f9792b7e0ac003e51eb193350dc52f505fab333f6a1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83DF.tmp.bat

Filesize
176B

MD5
7e0bef3c7ab09233477ca56d12b1c686

SHA1
aa47bd04766e066048b2b76c36fc1d425e411c4a

SHA256
283fe77039976ee773cde7c6a224a79a86aeedcf68848fd07a31be394bfcf52d

SHA512
dab6f29c6025cd0f9db2ae222ed7ca591b0d9c9785db5c2503e54f5df6a3cacda6b7585b3ec3cc69293bfe8a34776d437b4d44a6b51577b0c92c10616eb23a66

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
397KB

MD5
666a48d08cc36c4a0e975a234b84eb79

SHA1
0d23cbb9e155ab6471f26ffebed583fff724a30e

SHA256
a4d65d7e8f4d46de7c5b82fe125b71e31123161604ac3ce751988ff6cccc6110

SHA512
0fe7e1ada3003c74de1ee0ea057072a31268f6d0b9228cb178ad8dbea8a969dd9957aed79d7f3dcd4be20421d89708058bfa0fa764efc8bee3cf1150946e60e2

Download Submit
memory/2040-27-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2040-18-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2040-19-0x000000001C4A0000-0x000000001C520000-memory.dmp

Filesize
512KB

Download
memory/2040-17-0x0000000000070000-0x00000000005B4000-memory.dmp

Filesize
5.3MB

Download
memory/2260-0-0x0000000000270000-0x00000000007B4000-memory.dmp

Filesize
5.3MB

Download
memory/2260-12-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2260-1-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3004-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-20-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-31-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/3004-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-23-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/3004-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-39-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/3004-40-0x00000000021D0000-0x00000000021F0000-memory.dmp

Filesize
128KB

Download
memory/3004-41-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3004-43-0x00000000021D0000-0x00000000021F0000-memory.dmp

Filesize
128KB

Download
memory/3004-42-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads