Malicious
Classifications
Backdoor PUA Miner
Threat Names
XMRig XMRig.A
Dynamic Analysis Report
Created on 2024-10-01T19:34:27+00:00
OKLA.exe
Windows Exe (x86-32)
Remarks (1/1)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "3 minutes" to "10 seconds" to reveal dormant functionality.
Kernel Graph 1
Code Block #1 (EP #1)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x71 |
| Start Address | 0xfffff8077d255008 |
Execution Path #1 (length: 4, count: 1, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 8 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlInitUnicodeString | SourceString = \Device\WinRing0_1_2_0, DestinationString_out = \Device\WinRing0_1_2_0 |
| IoCreateDevice | DriverObject_unk = 0xffff968cf7ab0a70, DeviceExtensionSize = 0x0, DeviceName = \Device\WinRing0_1_2_0, DeviceType_unk = 0x9c40, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xffffc1081df8a2d0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = \DosDevices\WinRing0_1_2_0, DestinationString_out = \DosDevices\WinRing0_1_2_0 |
| IoCreateSymbolicLink | SymbolicLinkName = \DosDevices\WinRing0_1_2_0, DeviceName = \Device\WinRing0_1_2_0, ret_val_out = 0x0 |
Kernel Graph 2
Code Block #2 (EP #2, #3)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x71 |
| Start Address | 0xfffff8077d2510d8 |
Execution Path #2 (length: 1, count: 2, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (xmrig.exe, PID: 3212) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IofCompleteRequest | Irp_unk = 0xffff968d0102f810, PriorityBoost = 0 |
Execution Path #3 (length: 2, count: 1, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (xmrig.exe, PID: 3212) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KiGeneralProtectionFault | |
| IofCompleteRequest | Irp_unk = 0xffff968d0102f810, PriorityBoost = 0 |
Kernel Graph 3
Code Block #3 (EP #4)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x71 |
| Start Address | 0xfffff8077d251424 |
Execution Path #4 (length: 3, count: 1, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 8 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlInitUnicodeString | SourceString = \DosDevices\WinRing0_1_2_0, DestinationString_out = \DosDevices\WinRing0_1_2_0 |
| IoDeleteSymbolicLink | SymbolicLinkName = \DosDevices\WinRing0_1_2_0, ret_val_out = 0x0 |
| IoDeleteDevice | DeviceObject_unk = 0xffff968cfdce9b70 |
Kernel Graph 4
Code Block #4 (EP #5)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x71 |
| Start Address | 0xffffac800b5f0148 |
Execution Path #5 (length: 2, count: 2, processes: 2 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 32 (trustedinstaller.exe, PID: 3696) | 1 |
| Process 120 (shellexperiencehost.exe, PID: 4456) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffac800b5f0948, SpinLock_unk_out = 0xffffac800b5f0948, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffac800b5f0948, NewIrql_unk = 0x4371f28bb7536002, SpinLock_unk_out = 0xffffac800b5f0948 |
Kernel Graph 5
Code Block #5 (EP #6)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x71 |
| Start Address | 0xffffac800b60b84c |
Execution Path #6 (length: 20, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 20 |
Processes
»
| Process | Count |
|---|---|
| Process 8 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmGetSessionById | ret_val_out = 0xffff968d0dd25140 |
| MmAttachSession | ret_val_out = 0x0 |
| MmSessionGetWin32Callouts | ret_val_out = 0xfffff8077981fea8 |
| ExReferenceCallBackBlock | ret_val_out = 0xffff968cf52feca0 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffff968cf52fecae |
| MmDetachSession | ret_val_out = 0x0 |
| MmQuitNextSession | ret_val_out = 0x0 |
| MmAllocateIndependentPages | ret_val_out = 0xffffac800b1ff000 |
| MmSetPageProtection | ret_val_out = 0x1 |
| KeSetCoalescableTimer | Timer_unk = 0xffff968cf00e5cb3, DueTime_unk = 0xffffffffb6701cc6, Period = 0x0, TolerableDelay = 0x333, Dpc_unk = 0xffff968cf00e5cf3, Timer_unk_out = 0xffff968cf00e5cb3, ret_val_out = 0 |
| MmGetSessionById | ret_val_out = 0xffff968d0dd25140 |
| MmAttachSession | ret_val_out = 0x0 |
| MmSessionGetWin32Callouts | ret_val_out = 0xfffff8077981fea8 |
| ExReferenceCallBackBlock | ret_val_out = 0xffff968cf52feca0 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffff968cf52fecae |
| MmDetachSession | ret_val_out = 0x0 |
| MmQuitNextSession | ret_val_out = 0x0 |
| ExFreePool | P_ptr = 0xffff968cefb71000 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70c22, Tag = 0x70764946, ret_val_ptr_out = 0xffff968cefb82000 |
| KeSetCoalescableTimer | Timer_unk = 0xffff968cf0138d42, DueTime_unk = 0xffffffffb4958525, Period = 0x0, TolerableDelay = 0x2535, Dpc_unk = 0xffff968cf0138d82, Timer_unk_out = 0xffff968cf0138d42, ret_val_out = 0 |
