Malicious
Classifications
Backdoor Miner PUA
Threat Names
XMRig App/Generic-MN XMRig.A
Dynamic Analysis Report
Created on 2024-10-01T19:34:22+00:00
OKLA.exe
Windows Exe (x86-32)
Remarks (2/2)
(0x0200001B): The maximum number of file Reputation Analysis requests per analysis (150) was exceeded.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "3 minutes" to "10 seconds" to reveal dormant functionality.
Kernel Graph 1
Code Block #1 (EP #1)
»
| Information | Value |
|---|---|
| Trigger | IopLoadDriver+0x51c |
| Start Address | 0xfffff801cf9c5008 |
Execution Path #1 (length: 4, count: 1, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 5 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlInitUnicodeString | SourceString = \Device\WinRing0_1_2_0, DestinationString_out = \Device\WinRing0_1_2_0 |
| IoCreateDevice | DriverObject_unk = 0xffffe00130fc98b0, DeviceExtensionSize = 0x0, DeviceName = \Device\WinRing0_1_2_0, DeviceType_unk = 0x9c40, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xffffd0007bffd240, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = \DosDevices\WinRing0_1_2_0, DestinationString_out = \DosDevices\WinRing0_1_2_0 |
| IoCreateSymbolicLink | SymbolicLinkName = \DosDevices\WinRing0_1_2_0, DeviceName = \Device\WinRing0_1_2_0, ret_val_out = 0x0 |
Kernel Graph 2
Code Block #2 (EP #2, #3)
»
| Information | Value |
|---|---|
| Trigger | IofCallDriver+0x4b |
| Start Address | 0xfffff801cf9c10d8 |
Execution Path #2 (length: 1, count: 2, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 4 (xmrig.exe, PID: 1680) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoCompleteRequest | ret_val_out = 0x884 |
Execution Path #3 (length: 2, count: 1, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 4 (xmrig.exe, PID: 1680) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KiGeneralProtectionFault | |
| IoCompleteRequest | ret_val_out = 0x0 |
Kernel Graph 3
Code Block #3 (EP #4)
»
| Information | Value |
|---|---|
| Trigger | ??_C@_1CO@EJFNEBPH@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAT?$AAr?$AAa?$AAc?$AAi?$AAn?$AAg?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr?$AAS?$AAe?$AAt?$AA?$AA@NNGAKEGL@+0x719ab |
| Start Address | 0xfffff801cf9c1424 |
Execution Path #4 (length: 3, count: 1, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 5 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlInitUnicodeString | SourceString = \DosDevices\WinRing0_1_2_0, DestinationString_out = \DosDevices\WinRing0_1_2_0 |
| IoDeleteSymbolicLink | SymbolicLinkName = \DosDevices\WinRing0_1_2_0, ret_val_out = 0x0 |
| IoDeleteDevice | DeviceObject_unk = 0xffffe00131465ba0 |
Kernel Graph 4
Code Block #4 (EP #5)
»
| Information | Value |
|---|---|
| Trigger | KiRetireDpcList+0x5f3 |
| Start Address | 0xffffe0012ef49075 |
Execution Path #5 (length: 3, count: 2, processes: 1 )
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 4 (xmrig.exe, PID: 1680) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe001310c761e, SpinLock_unk_out = 0xffffe001310c761e, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe001310c761e, NewIrql_unk = 0x90891d6792492d02, SpinLock_unk_out = 0xffffe001310c761e |
| ExQueueWorkItem | WorkItem_ptr = 0xffffe001310c75b6, WorkItem_deref_List.Flink_unk = 0x0, WorkItem_deref_List.Blink_unk = 0xfffff8037b5b1418, WorkItem_deref_WorkerRoutine_unk = 0xfffff8037b35a084, WorkItem_deref_Parameter_ptr = 0xffffe0012ec674d7, QueueType_unk = 0x1, WorkItem_ptr_out = 0xffffe001310c75b6, WorkItem_deref_List.Flink_unk_out = 0x0, WorkItem_deref_List.Blink_unk_out = 0xfffff8037b5b1418, WorkItem_deref_WorkerRoutine_unk_out = 0xfffff8037b35a084, WorkItem_deref_Parameter_ptr_out = 0xffffe0012ec674d7 |
Kernel Graph 5
Code Block #5 (EP #6)
»
| Information | Value |
|---|---|
| Trigger | KiMarkBugCheckRegions+0x32a |
| Start Address | 0xffffe001310d89dd |
Execution Path #6 (length: 2, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 5 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x69289, Tag = 0x6944624f, ret_val_ptr_out = 0xffffe0013154c000 |
| KeSetCoalescableTimer | Timer_unk = 0xffffe0012ef48cff, DueTime_unk = 0xffffffffb3962b64, Period = 0x0, TolerableDelay = 0xda6, Dpc_unk = 0xffffe0012ef48d3f, Timer_unk_out = 0xffffe0012ef48cff, ret_val_out = 0 |
Kernel Graph 6
Code Block #6 (EP #7)
»
| Information | Value |
|---|---|
| Trigger | KiMarkBugCheckRegions+0x32a |
| Start Address | 0xffffe0013155deb9 |
Execution Path #7 (length: 3, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 5 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd5e, Tag = 0x6944624f, ret_val_ptr_out = 0xffffe0012fc1f010 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x68fd2, Tag = 0x6944624f, ret_val_ptr_out = 0xffffe001315fe000 |
| KeSetCoalescableTimer | Timer_unk = 0xffffe0012ef48cff, DueTime_unk = 0xffffffffb772ceff, Period = 0x0, TolerableDelay = 0x7ca, Dpc_unk = 0xffffe0012ef48d3f, Timer_unk_out = 0xffffe0012ef48cff, ret_val_out = 0 |
