xmrig | 1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca

Analysis

max time kernel
300s
max time network
278s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
Size

6.4MB
MD5

5093b7701b02bf012b6c9c9394af9885
SHA1

0aaec14d6d64a0c9ea29e731d6a8e829476421c2
SHA256

1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca
SHA512

713a35519bdac80eab304537e91783a3f98ff3eb49e6950e0f28796d183daac55a5e28304fcdbcf477157a40b2750818ee3c0d34499ac26e4bb9d9d567c78f3d
SSDEEP

196608:F2cWufAOP6d/8Bw4ArHeKWfTZoif7UA7dR:FxMorqLWttfAA7

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1820-4-0x000000001DEE0000-0x000000001E2FE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-5-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-8-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-6-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-10-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-12-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-14-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-16-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-18-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-20-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-22-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-24-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-26-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-28-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-30-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-32-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-34-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-36-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-38-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-40-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-42-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-44-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-46-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-48-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-68-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-66-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-64-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-62-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-60-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-58-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-56-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-54-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-52-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1
behavioral1/memory/1820-50-0x000000001DEE0000-0x000000001E2F9000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/572-4916-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/572-4925-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/572-4916-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/572-4925-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1768 set thread context of 572	1768	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1768	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
Token: SeDebugPrivilege	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
Token: SeLockMemoryPrivilege	572	explorer.exe
Token: SeLockMemoryPrivilege	572	explorer.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1820 wrote to memory of 1768	1820	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	28
PID 1768 wrote to memory of 572	1768	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	31
PID 1768 wrote to memory of 572	1768	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	31
PID 1768 wrote to memory of 572	1768	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	31
PID 1768 wrote to memory of 572	1768	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	31
PID 1768 wrote to memory of 572	1768	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	31

C:\Users\Admin\AppData\Local\Temp\1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
"C:\Users\Admin\AppData\Local\Temp\1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/572-4916-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/572-4924-0x0000000001B50000-0x0000000001B70000-memory.dmp

Filesize
128KB

Download
memory/572-4925-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/572-4926-0x0000000001B50000-0x0000000001B70000-memory.dmp

Filesize
128KB

Download
memory/1768-4905-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1768-4912-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1820-32-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-42-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-3-0x000000001D6A0000-0x000000001DED6000-memory.dmp

Filesize
8.2MB

Download
memory/1820-4-0x000000001DEE0000-0x000000001E2FE000-memory.dmp

Filesize
4.1MB

Download
memory/1820-5-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-8-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-6-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-10-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-12-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-14-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-16-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-18-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-20-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-22-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-24-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-26-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-28-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-30-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-1-0x0000000000810000-0x0000000000E78000-memory.dmp

Filesize
6.4MB

Download
memory/1820-34-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-36-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-38-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-40-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-44-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-46-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-48-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-68-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-66-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-64-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-62-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-60-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-58-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-56-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-54-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-52-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-50-0x000000001DEE0000-0x000000001E2F9000-memory.dmp

Filesize
4.1MB

Download
memory/1820-4885-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-4886-0x000000001E300000-0x000000001E55A000-memory.dmp

Filesize
2.4MB

Download
memory/1820-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/1820-4887-0x0000000000790000-0x00000000007DC000-memory.dmp

Filesize
304KB

Download
memory/1820-4888-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/1820-4889-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-4890-0x0000000000F80000-0x0000000000FD4000-memory.dmp

Filesize
336KB

Download
memory/1820-4904-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download