xmrig | 216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0

General

Target

216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe
Size

5.3MB
MD5

f0615222efdb2699a7d869641bcf7eab
SHA1

e346c26ede7d5e6e97bc5f9578a3c7dc5853e4af
SHA256

216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0
SHA512

d0a817eeaa3ecd507e778fc1422a0989d116d0d635d976924681176e17e9d7a38f1d9963954def8892bf9483ba6de989595114e2da009281e2b2489796e34a16
SSDEEP

49152:+a2+8ZkbcfOPIMmuv2d2cWfGmsQZ0Wf8f8QlWuWzVjnbXGp8mih7NUfXUu4tEqN5:+aTX1HlUUdG/Mul2rq/aReDkizMeQUa

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/3996-0-0x0000000000850000-0x0000000000D94000-memory.dmp	family_zgrat_v1
behavioral2/files/0x00070000000231e5-10.dat	family_zgrat_v1
behavioral2/files/0x00070000000231e5-9.dat	family_zgrat_v1
behavioral2/files/0x00070000000231e5-39.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral2/memory/5084-21-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-22-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-23-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-25-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-24-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-18-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/5084-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3996-0-0x0000000000850000-0x0000000000D94000-memory.dmp	net_reactor
behavioral2/files/0x00070000000231e5-10.dat	net_reactor
behavioral2/files/0x00070000000231e5-9.dat	net_reactor
behavioral2/files/0x00070000000231e5-39.dat	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
4620	OneDrive.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5084-15-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-17-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-18-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-19-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-13-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/5084-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4464	schtasks.exe
1668	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2420	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe
Token: SeDebugPrivilege	4620	OneDrive.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 1036	3996	216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe	93
PID 3996 wrote to memory of 1036	3996	216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe	93
PID 1036 wrote to memory of 2420	1036	cmd.exe	88
PID 1036 wrote to memory of 2420	1036	cmd.exe	88
PID 1036 wrote to memory of 4620	1036	cmd.exe	94
PID 1036 wrote to memory of 4620	1036	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe
"C:\Users\Admin\AppData\Local\Temp\216af63fedbf9379d7d2f6b52eb81d3b19a1310fa0cb365a6121788b2b48baa0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4575.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
      4⤵
      PID:2220
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      PID:5084

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2420

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
1⤵
- Creates scheduled task(s)
PID:4464

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
1⤵
PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
  2⤵
  PID:2692
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
365KB

MD5
3332729da0a8e1ddcdb7299f0878dfeb

SHA1
3ef86fc661071a22176dab570d66ebc70383b790

SHA256
a13156e9188cbd6122111846b8022e74687ea394dadeb6d693644a5b9926f5ab

SHA512
3fe308ff73dcd8b1a633aa6126a7a9653cf5177ce82722ac028f3b6d7a6d2c903e62dadd5d50f5e25e7dd569b871a3739efad178fb72d971ca1cb621b1e9c0d6

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
92KB

MD5
a74feed566cbf9d29290105554666c90

SHA1
09de9554a723cd43b3f173002cbf77b3bb343c28

SHA256
174f1f7862ce0a0c196cff7cce48f0f2c1fd4e0690aeac3941eeb58363bb81b9

SHA512
050dfe848e9368240b96ab304cd347826203b8c98cec0bbfb73f524a023c89a2eb10314e51de876441998a671caedc8ce8e45efbc6d2ccd1fb3c31ac4247e683

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
2.2MB

MD5
6ff38537228ad8d9bd8cea31a5c26c7c

SHA1
84f5dbd05dba8c484d7ee04e77c8dfcacf4416f6

SHA256
06a1d52043929b3a564ae337d325d4da785e61ead95f8de3d6dc0146d0a42912

SHA512
e9e7311523842eded61963356093a6ba2187c611f40330ebc41d7bd9cc0d4f20386d9a51df0d4e3eea0d90c5f867dd092a8a95f10c7bb439ca2c8f929d31a97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDrive.exe.log

Filesize
1KB

MD5
f26118d675c61402c218ac6794d90a63

SHA1
ffc8d592f3ca8255ca5119eff5b576eb16ac7fac

SHA256
d049789c187b2f58c900eab10205bc037740dca8640ab40c314790fefaab66ff

SHA512
6f14b71dae095131053a1b590e60ccec4e14c47c745bf9d52de48988d7b93b1f50bbb6bac0222dc49e3e45def052b20be2d34e116991027718da2e0fb8eb45d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4575.tmp.bat

Filesize
176B

MD5
4a1c74369cdc2e3a4f8ed6916a4b8e56

SHA1
8aaefe785d004b671d4bb81eb42625db1b91e6f0

SHA256
be33f30533ff62084ba1f21cb7cab8a9a94aae30a5fd6294905567aa993aa7d3

SHA512
37469b39a045c94bdc50f7232b492364246e1d5764daa7ee6901bfef26cc32a874c4ea43e81d2f34f34dfeec88fae9524003d26f54eae114cb8992e0868c5893

Download Submit
memory/1920-43-0x00007FFA549F0000-0x00007FFA554B1000-memory.dmp

Filesize
10.8MB

Download
memory/1920-42-0x000000001C7E0000-0x000000001C7F0000-memory.dmp

Filesize
64KB

Download
memory/1920-41-0x00007FFA549F0000-0x00007FFA554B1000-memory.dmp

Filesize
10.8MB

Download
memory/3996-7-0x00007FFA56190000-0x00007FFA56C51000-memory.dmp

Filesize
10.8MB

Download
memory/3996-34-0x00007FFA56190000-0x00007FFA56C51000-memory.dmp

Filesize
10.8MB

Download
memory/3996-0-0x0000000000850000-0x0000000000D94000-memory.dmp

Filesize
5.3MB

Download
memory/4620-12-0x000000001C680000-0x000000001C690000-memory.dmp

Filesize
64KB

Download
memory/4620-11-0x00007FFA551D0000-0x00007FFA55C91000-memory.dmp

Filesize
10.8MB

Download
memory/4620-16-0x00007FFA551D0000-0x00007FFA55C91000-memory.dmp

Filesize
10.8MB

Download
memory/5084-13-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-19-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-28-0x0000022ADE410000-0x0000022ADE430000-memory.dmp

Filesize
128KB

Download
memory/5084-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-33-0x0000022ADE430000-0x0000022ADE450000-memory.dmp

Filesize
128KB

Download
memory/5084-18-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-35-0x0000022ADE450000-0x0000022ADE470000-memory.dmp

Filesize
128KB

Download
memory/5084-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-37-0x0000022ADE430000-0x0000022ADE450000-memory.dmp

Filesize
128KB

Download
memory/5084-38-0x0000022ADE450000-0x0000022ADE470000-memory.dmp

Filesize
128KB

Download
memory/5084-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-20-0x0000022ADCAD0000-0x0000022ADCAF0000-memory.dmp

Filesize
128KB

Download
memory/5084-17-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5084-15-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads