XMRig,XMRig.A | edc3533b7540

Classifications

Backdoor Miner PUA

Threat Names

XMRig App/Generic-GD XMRig.A

Dynamic Analysis Report

Created on 2024-10-01T19:36:10+00:00

OKLA.exe

Windows Exe (x86-32)

Remarks (1/1)

Anti-Sleep Triggered (0x0200000E): The overall sleep time of all monitored processes was truncated from "3 minutes" to "10 seconds" to reveal dormant functionality.

Kernel Graph 1

Code Block #1 (EP #1)

Information	Value
Trigger	_guard_dispatch_icall+0x71
Start Address	0xfffff8012acc5008

Execution Path #1 (length: 4, count: 1, processes: 1 )

Information	Value
Sequence Length	4

Processes

Process	Count
Process 8 (System, PID: 4)	1

Sequence

Symbol	Parameters
RtlInitUnicodeString	SourceString = \Device\WinRing0_1_2_0, DestinationString_out = \Device\WinRing0_1_2_0
IoCreateDevice	DriverObject_unk = 0xffffa10456695e30, DeviceExtensionSize = 0x0, DeviceName = \Device\WinRing0_1_2_0, DeviceType_unk = 0x9c40, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xffffc800d4a92250, ret_val_out = 0x0
RtlInitUnicodeString	SourceString = \DosDevices\WinRing0_1_2_0, DestinationString_out = \DosDevices\WinRing0_1_2_0
IoCreateSymbolicLink	SymbolicLinkName = \DosDevices\WinRing0_1_2_0, DeviceName = \Device\WinRing0_1_2_0, ret_val_out = 0x0

Kernel Graph 2

Code Block #2 (EP #2, #3)

Information	Value
Trigger	_guard_dispatch_icall+0x71
Start Address	0xfffff8012acc10d8

Execution Path #2 (length: 1, count: 2, processes: 1 )

Information	Value
Sequence Length	1

Processes

Process	Count
Process 6 (xmrig.exe, PID: 3092)	2

Sequence

Symbol	Parameters
IofCompleteRequest	Irp_unk = 0xffffa104566a4b00, PriorityBoost = 0

Execution Path #3 (length: 2, count: 1, processes: 1 )

Information	Value
Sequence Length	2

Processes

Process	Count
Process 6 (xmrig.exe, PID: 3092)	1

Sequence

Symbol	Parameters
KiGeneralProtectionFault
IofCompleteRequest	Irp_unk = 0xffffa104566a4b00, PriorityBoost = 0

Kernel Graph 3

Code Block #3 (EP #4)

Information	Value
Trigger	_guard_dispatch_icall+0x71
Start Address	0xfffff8012acc1424

Execution Path #4 (length: 3, count: 1, processes: 1 )

Information	Value
Sequence Length	3

Processes

Process	Count
Process 8 (System, PID: 4)	1

Sequence

Symbol	Parameters
RtlInitUnicodeString	SourceString = \DosDevices\WinRing0_1_2_0, DestinationString_out = \DosDevices\WinRing0_1_2_0
IoDeleteSymbolicLink	SymbolicLinkName = \DosDevices\WinRing0_1_2_0, ret_val_out = 0x0
IoDeleteDevice	DeviceObject_unk = 0xffffa1046a3dda70

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

Before

After

WHOIS Domain Information

Screenshot

Domain Name
WHOIS Response