xmrig | 8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47

General

Target

9b3430f42a0fb00d014c2fa208662865.exe
Size

4.8MB
MD5

9b3430f42a0fb00d014c2fa208662865
SHA1

09a16508bcc0a6da90c272daa2eff627ccd3205d
SHA256

8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47
SHA512

d2887d08a66e10af1e89fb60f2a4f8d7bae7dc5cccc0301a70cb5ff120094c5e6247b44cf3b1b2b1c7e5d48e687319b842a721d757ebb44cf484ef766db92e29
SSDEEP

98304:CdlaF/1RByjAQG/Mul2rq/aReDkizMeQUh:CdYvkji/Mul2rVe4iwVUh

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral1/memory/2676-20-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-23-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-26-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-25-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-24-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-22-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-30-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-32-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-33-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral1/memory/2676-34-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1424-1-0x0000000000320000-0x00000000007FA000-memory.dmp	net_reactor
behavioral1/files/0x000800000001ac08-10.dat	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
4436	.exe
3540	.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4436 set thread context of 2676	4436	.exe	82

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-18-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-17-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-20-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-23-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-24-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-22-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-30-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-32-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-33-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2676-34-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4336	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3772	schtasks.exe
3984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4436	.exe
3540	.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	9b3430f42a0fb00d014c2fa208662865.exe
Token: SeDebugPrivilege	4436	.exe
Token: SeLockMemoryPrivilege	2676	vbc.exe
Token: SeLockMemoryPrivilege	2676	vbc.exe
Token: SeDebugPrivilege	3540	.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 364	1424	9b3430f42a0fb00d014c2fa208662865.exe	74
PID 1424 wrote to memory of 364	1424	9b3430f42a0fb00d014c2fa208662865.exe	74
PID 364 wrote to memory of 4336	364	cmd.exe	76
PID 364 wrote to memory of 4336	364	cmd.exe	76
PID 364 wrote to memory of 4436	364	cmd.exe	77
PID 364 wrote to memory of 4436	364	cmd.exe	77
PID 4436 wrote to memory of 2716	4436	.exe	78
PID 4436 wrote to memory of 2716	4436	.exe	78
PID 2716 wrote to memory of 3772	2716	cmd.exe	80
PID 2716 wrote to memory of 3772	2716	cmd.exe	80
PID 4436 wrote to memory of 2676	4436	.exe	82
PID 4436 wrote to memory of 2676	4436	.exe	82
PID 4436 wrote to memory of 2676	4436	.exe	82
PID 4436 wrote to memory of 2676	4436	.exe	82
PID 4436 wrote to memory of 2676	4436	.exe	82
PID 4436 wrote to memory of 2676	4436	.exe	82
PID 4436 wrote to memory of 2676	4436	.exe	82
PID 3540 wrote to memory of 4572	3540	.exe	84
PID 3540 wrote to memory of 4572	3540	.exe	84
PID 4572 wrote to memory of 3984	4572	cmd.exe	87
PID 4572 wrote to memory of 3984	4572	cmd.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe
"C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C04.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4336
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3772
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work2 -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2676

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
4.8MB

MD5
9b3430f42a0fb00d014c2fa208662865

SHA1
09a16508bcc0a6da90c272daa2eff627ccd3205d

SHA256
8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47

SHA512
d2887d08a66e10af1e89fb60f2a4f8d7bae7dc5cccc0301a70cb5ff120094c5e6247b44cf3b1b2b1c7e5d48e687319b842a721d757ebb44cf484ef766db92e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log

Filesize
1KB

MD5
99e47c178875de9fe1675fe5ba0e1f42

SHA1
c28934210fbe9d2ee90e751b8cf21be297b3d171

SHA256
773f7a03c7b56de09b71249ce4920458ef67fda14b923df1d5ebc1725101b9ff

SHA512
7a4b79273bbc4b5966680a48d63115feed3ae48dfc0ea2a7a11e202d06d9ecab2b4b1b8e2a3d1eb9e9b35169cf9ca866f785875e19e5eeadfe11b54500c05f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C04.tmp.bat

Filesize
168B

MD5
e65ec8d4cc2546d08d3d42d1b863c0f4

SHA1
5d8cc7621a7ec69c5d42063c717d39d0cab25d15

SHA256
92c03a0ab49883b6b18a3906b25c88f0316bbc0b76de17478febf9cc6f7a0f1b

SHA512
34c59ab7cbbaac4a0f4f54af5e2c2d145fe45078484477e694565b651e3243f4d9552c672051ad0a054acd2ee1b1fae1ddcb565d6ead1a2d964e6cd579c1c403

Download Submit
memory/1424-15-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

Filesize
9.9MB

Download
memory/1424-1-0x0000000000320000-0x00000000007FA000-memory.dmp

Filesize
4.9MB

Download
memory/1424-7-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

Filesize
9.9MB

Download
memory/1424-0-0x00007FF8C9B73000-0x00007FF8C9B74000-memory.dmp

Filesize
4KB

Download
memory/2676-22-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-34-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-18-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-17-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-21-0x000001E12E9A0000-0x000001E12E9C0000-memory.dmp

Filesize
128KB

Download
memory/2676-20-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-33-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-24-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-32-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2676-30-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4436-29-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

Filesize
9.9MB

Download
memory/4436-13-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

Filesize
9.9MB

Download
memory/4436-14-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

Filesize
9.9MB

Download
memory/4436-16-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

Filesize
9.9MB

Download
memory/4436-12-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads