xmrig | 8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47

General

Target

9b3430f42a0fb00d014c2fa208662865.exe
Size

4.8MB
MD5

9b3430f42a0fb00d014c2fa208662865
SHA1

09a16508bcc0a6da90c272daa2eff627ccd3205d
SHA256

8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47
SHA512

d2887d08a66e10af1e89fb60f2a4f8d7bae7dc5cccc0301a70cb5ff120094c5e6247b44cf3b1b2b1c7e5d48e687319b842a721d757ebb44cf484ef766db92e29
SSDEEP

98304:CdlaF/1RByjAQG/Mul2rq/aReDkizMeQUh:CdYvkji/Mul2rVe4iwVUh

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/1800-23-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-24-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-28-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1800-40-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3992-0-0x0000000000990000-0x0000000000E6A000-memory.dmp	net_reactor
behavioral2/files/0x0006000000023215-13.dat	net_reactor
behavioral2/files/0x0006000000023215-12.dat	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1800-18-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-20-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1800-40-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 1800	2780	.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1880	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4024	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	9b3430f42a0fb00d014c2fa208662865.exe
Token: SeDebugPrivilege	2780	.exe
Token: SeLockMemoryPrivilege	1800	vbc.exe
Token: SeLockMemoryPrivilege	1800	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1800	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 3560	3992	9b3430f42a0fb00d014c2fa208662865.exe	87
PID 3992 wrote to memory of 3560	3992	9b3430f42a0fb00d014c2fa208662865.exe	87
PID 3560 wrote to memory of 4024	3560	cmd.exe	88
PID 3560 wrote to memory of 4024	3560	cmd.exe	88
PID 3560 wrote to memory of 2780	3560	cmd.exe	89
PID 3560 wrote to memory of 2780	3560	cmd.exe	89
PID 2780 wrote to memory of 4076	2780	.exe	91
PID 2780 wrote to memory of 4076	2780	.exe	91
PID 4076 wrote to memory of 1880	4076	cmd.exe	93
PID 4076 wrote to memory of 1880	4076	cmd.exe	93
PID 2780 wrote to memory of 1800	2780	.exe	100
PID 2780 wrote to memory of 1800	2780	.exe	100
PID 2780 wrote to memory of 1800	2780	.exe	100
PID 2780 wrote to memory of 1800	2780	.exe	100
PID 2780 wrote to memory of 1800	2780	.exe	100
PID 2780 wrote to memory of 1800	2780	.exe	100
PID 2780 wrote to memory of 1800	2780	.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe
"C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp49DA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4024
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
486KB

MD5
7a14e29eae2d9f2854edd04254a0e6c7

SHA1
d2b7f4d530f6550fe171cc7be768f9a75fee31ab

SHA256
0d4d780921e2a0dfab7256a1736b52897bd79880a3099d2101f96abc21e08697

SHA512
58e7b8b3402efe1e44300a0021d628980e0a174f8eb1cb468947f3c5b2390add2db170b4a0d77ed55315bec8852cab8fb61cc37cdad847c7af73c44713b8a83a

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
495KB

MD5
7b32894b5cce3d3e639d8edfe83b3732

SHA1
061da55a51deaf0f4f77a88d17bee1b18d858ff7

SHA256
6e8a4281635c01e7c5f2b19826705d544ffe5d681256c53380496b8e3438eed1

SHA512
95d2abbf2c8b5ce4fb7a62484e0e579613ce2ad9b60ac530155f4f70b2b464c577f482872c145fa9b7f92120e371bf90fa591d54c0dc69805de608b9fa77f263

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp49DA.tmp.bat

Filesize
168B

MD5
087adf66381bbd31593de1b9b61f9abd

SHA1
06a3084c996951e7891682d53b0d129910aa0a3c

SHA256
01ed5514455ca118ded2abc7267caa2f8c8837b9e384eb1e16fd557df2bbe7c8

SHA512
cd20aad34814ddef12a473c98e6f0dd3857faa13517f2b3dd3e59184aa99de5c7d0003fb54f02f2c94ce551d997e4c0cad4dc40edf95aaf1610c8fabb4c109a8

Download Submit
memory/1800-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-42-0x000001DB7F140000-0x000001DB7F160000-memory.dmp

Filesize
128KB

Download
memory/1800-41-0x000001DB7F120000-0x000001DB7F140000-memory.dmp

Filesize
128KB

Download
memory/1800-40-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-38-0x000001DB7F120000-0x000001DB7F140000-memory.dmp

Filesize
128KB

Download
memory/1800-39-0x000001DB7F140000-0x000001DB7F160000-memory.dmp

Filesize
128KB

Download
memory/1800-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-18-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-20-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-25-0x000001DB7EE90000-0x000001DB7EEB0000-memory.dmp

Filesize
128KB

Download
memory/1800-33-0x000001DB7F100000-0x000001DB7F120000-memory.dmp

Filesize
128KB

Download
memory/1800-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1800-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2780-22-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download
memory/2780-17-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download
memory/2780-16-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/2780-15-0x000000001C620000-0x000000001C630000-memory.dmp

Filesize
64KB

Download
memory/2780-14-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download
memory/3992-2-0x000000001C920000-0x000000001C930000-memory.dmp

Filesize
64KB

Download
memory/3992-0-0x0000000000990000-0x0000000000E6A000-memory.dmp

Filesize
4.9MB

Download
memory/3992-1-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download
memory/3992-3-0x0000000001710000-0x0000000001711000-memory.dmp

Filesize
4KB

Download
memory/3992-10-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads