xmrig | 8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

Analysis

max time kernel
299s
max time network
298s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe
Size

5.6MB
MD5

1a27bd843a09f923661a15300e02d703
SHA1

5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
SHA256

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
SHA512

330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
SSDEEP

49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3032-0-0x0000000000860000-0x0000000000E00000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0026000000016032-17.dat	family_zgrat_v1
behavioral1/memory/2796-19-0x00000000010E0000-0x0000000001680000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0026000000016032-47.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1032-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/1032-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/1032-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/1032-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/1032-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/1032-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/1032-40-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/1032-41-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/1032-44-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/3032-0-0x0000000000860000-0x0000000000E00000-memory.dmp	net_reactor
behavioral1/files/0x0026000000016032-17.dat	net_reactor
behavioral1/memory/2796-19-0x00000000010E0000-0x0000000001680000-memory.dmp	net_reactor
behavioral1/files/0x0026000000016032-47.dat	net_reactor

Executes dropped EXE 2 IoCs

Processes:

.exe.exe

pid	Process
2796	.exe
1768	.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid	Process
2144	cmd.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1032-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-40-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-41-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/1032-44-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

.exe

description	pid	Process	procid_target
PID 2796 set thread context of 1032	2796	.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2832	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2152	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

.exe.exe

pid	Process
2796	.exe
1768	.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
468

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe.exevbc.exe.exe

description	pid	Process
Token: SeDebugPrivilege	3032	8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe
Token: SeDebugPrivilege	2796	.exe
Token: SeLockMemoryPrivilege	1032	vbc.exe
Token: SeLockMemoryPrivilege	1032	vbc.exe
Token: SeDebugPrivilege	1768	.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid	Process
1032	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.execmd.exe.execmd.exetaskeng.exe.exe

description	pid	Process	procid_target
PID 3032 wrote to memory of 2144	3032	8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe	28
PID 3032 wrote to memory of 2144	3032	8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe	28
PID 3032 wrote to memory of 2144	3032	8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe	28
PID 2144 wrote to memory of 2152	2144	cmd.exe	30
PID 2144 wrote to memory of 2152	2144	cmd.exe	30
PID 2144 wrote to memory of 2152	2144	cmd.exe	30
PID 2144 wrote to memory of 2796	2144	cmd.exe	31
PID 2144 wrote to memory of 2796	2144	cmd.exe	31
PID 2144 wrote to memory of 2796	2144	cmd.exe	31
PID 2796 wrote to memory of 2732	2796	.exe	32
PID 2796 wrote to memory of 2732	2796	.exe	32
PID 2796 wrote to memory of 2732	2796	.exe	32
PID 2732 wrote to memory of 2832	2732	cmd.exe	34
PID 2732 wrote to memory of 2832	2732	cmd.exe	34
PID 2732 wrote to memory of 2832	2732	cmd.exe	34
PID 2796 wrote to memory of 1032	2796	.exe	36
PID 2796 wrote to memory of 1032	2796	.exe	36
PID 2796 wrote to memory of 1032	2796	.exe	36
PID 2796 wrote to memory of 1032	2796	.exe	36
PID 2796 wrote to memory of 1032	2796	.exe	36
PID 2796 wrote to memory of 1032	2796	.exe	36
PID 2796 wrote to memory of 1032	2796	.exe	36
PID 2880 wrote to memory of 1768	2880	taskeng.exe	40
PID 2880 wrote to memory of 1768	2880	taskeng.exe	40
PID 2880 wrote to memory of 1768	2880	taskeng.exe	40
PID 1768 wrote to memory of 2312	1768	.exe	41
PID 1768 wrote to memory of 2312	1768	.exe	41
PID 1768 wrote to memory of 2312	1768	.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe
"C:\Users\Admin\AppData\Local\Temp\8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A7B.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2152
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2832
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1032

C:\Windows\system32\taskeng.exe
taskeng.exe {4B956C8B-6B07-49C9-98A5-DE9DC7895D64} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.6MB

MD5
1a27bd843a09f923661a15300e02d703

SHA1
5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6

SHA256
8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

SHA512
330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
576KB

MD5
84e182b0898f67a8e84ab156eb708c40

SHA1
8b5c5c8aec6e3a158c6537cc267d7e527dd3c7cf

SHA256
9a5ad240fd3e1749d1d1ec2100ef2295fe5a4ea113c2bfd961649deea402969b

SHA512
79b94c2e6fdc345a410cc440112bcd2d4ddd5bc5a58c55d39df82db88817a1a1dc8229a9ae5bbc45d45988cd0e1aea672f624a498f74a2963bc347e3ccc96346

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A7B.tmp.bat

Filesize
168B

MD5
6f48df6a5ccd2addbd2ef28c4a8ab6aa

SHA1
f704541829586a4db04851d1c1384ab06332b40f

SHA256
7cca9ea4bf320521e623a5b618c492a51d019f6b1418b8c05513569653c510c7

SHA512
b076298efdc4b5514dc3286cd912e656eccabff4a1d504041f2c04d78798f3eb3d89c1e3aad4dc5aad6496354f70d30df6c614ed739637d19294f8fade39a031

Download Submit
memory/1032-43-0x00000000002D0000-0x00000000002F0000-memory.dmp

Filesize
128KB

Download
memory/1032-44-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-34-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1032-46-0x00000000002D0000-0x00000000002F0000-memory.dmp

Filesize
128KB

Download
memory/1032-45-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1032-42-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1032-41-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-26-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/1032-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-40-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1032-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1768-48-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-52-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1768-51-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-50-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1768-49-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/2796-30-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-20-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-21-0x000000001C400000-0x000000001C480000-memory.dmp

Filesize
512KB

Download
memory/2796-22-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2796-19-0x00000000010E0000-0x0000000001680000-memory.dmp

Filesize
5.6MB

Download
memory/3032-0-0x0000000000860000-0x0000000000E00000-memory.dmp

Filesize
5.6MB

Download
memory/3032-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-2-0x000000001C790000-0x000000001C810000-memory.dmp

Filesize
512KB

Download
memory/3032-14-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-3-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download