xmrig | 1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca

Analysis

max time kernel
298s
max time network
278s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/05/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
Size

6.4MB
MD5

5093b7701b02bf012b6c9c9394af9885
SHA1

0aaec14d6d64a0c9ea29e731d6a8e829476421c2
SHA256

1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca
SHA512

713a35519bdac80eab304537e91783a3f98ff3eb49e6950e0f28796d183daac55a5e28304fcdbcf477157a40b2750818ee3c0d34499ac26e4bb9d9d567c78f3d
SSDEEP

196608:F2cWufAOP6d/8Bw4ArHeKWfTZoif7UA7dR:FxMorqLWttfAA7

Score

10^/10

xmrig zgrat miner rat upx

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/2360-4-0x000001F8B0A50000-0x000001F8B0E6E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-6-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-5-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-26-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-18-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-30-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-36-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-48-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-50-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-62-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-68-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-66-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-64-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-60-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-58-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-56-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-54-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-52-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-46-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-44-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-42-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-40-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-38-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-34-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-32-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-28-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-24-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-22-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-20-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-16-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-14-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-12-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-10-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1
behavioral2/memory/2360-8-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/684-4907-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/684-4916-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/684-4907-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/684-4916-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 3084 set thread context of 684	3084	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	74

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3084	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
Token: SeDebugPrivilege	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
Token: SeLockMemoryPrivilege	684	explorer.exe
Token: SeLockMemoryPrivilege	684	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 2360 wrote to memory of 3084	2360	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	73
PID 3084 wrote to memory of 684	3084	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	74
PID 3084 wrote to memory of 684	3084	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	74
PID 3084 wrote to memory of 684	3084	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	74
PID 3084 wrote to memory of 684	3084	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	74
PID 3084 wrote to memory of 684	3084	1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe	74

C:\Users\Admin\AppData\Local\Temp\1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
"C:\Users\Admin\AppData\Local\Temp\1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed1fde501734830f4ab25df9117e279b595b5843e6c08ef73bbc4625ac091ca.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/684-4907-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/684-4915-0x00000000009C0000-0x00000000009E0000-memory.dmp

Filesize
128KB

Download
memory/684-4916-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/684-4919-0x0000000000A10000-0x0000000000A30000-memory.dmp

Filesize
128KB

Download
memory/684-4920-0x0000000000A10000-0x0000000000A30000-memory.dmp

Filesize
128KB

Download
memory/2360-46-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-62-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-3-0x000001F8B0110000-0x000001F8B0946000-memory.dmp

Filesize
8.2MB

Download
memory/2360-4-0x000001F8B0A50000-0x000001F8B0E6E000-memory.dmp

Filesize
4.1MB

Download
memory/2360-6-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-5-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-26-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-18-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-30-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-36-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-48-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-50-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-42-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-68-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-66-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-64-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-60-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-58-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-56-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-54-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-52-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-1-0x000001F895620000-0x000001F895C88000-memory.dmp

Filesize
6.4MB

Download
memory/2360-2-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-44-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-20-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-38-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-34-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-32-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-28-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-24-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-22-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-40-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-16-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-14-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-12-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-10-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-8-0x000001F8B0A50000-0x000001F8B0E69000-memory.dmp

Filesize
4.1MB

Download
memory/2360-4885-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-4887-0x000001F8B11D0000-0x000001F8B121C000-memory.dmp

Filesize
304KB

Download
memory/2360-4886-0x000001F8B0F70000-0x000001F8B11CA000-memory.dmp

Filesize
2.4MB

Download
memory/2360-4888-0x00007FFAD8ED3000-0x00007FFAD8ED4000-memory.dmp

Filesize
4KB

Download
memory/2360-4889-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-0-0x00007FFAD8ED3000-0x00007FFAD8ED4000-memory.dmp

Filesize
4KB

Download
memory/2360-4890-0x000001F8B1220000-0x000001F8B1274000-memory.dmp

Filesize
336KB

Download
memory/2360-4896-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

Filesize
9.9MB

Download
memory/3084-4895-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/3084-4906-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download