xmrig | 4a9006cf3b6e40360af21fbc2c9c419a58212f9fc06cb2a534240790a2e6dbac

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
26-01-2021 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

Score

10^/10

xmrig discovery evasion miner persistence trojan

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

WINWORD.exe

pid process

1516 WINWORD.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1516	WINWORD.exe

Loads dropped DLL 2 IoCs

Processes:

de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

pid	process
792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe
792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1224 icacls.exe

pid	process
1224	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayer Update = "C:\\Users\\Admin\\AppData\\Roaming\\divandshare.exe"	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

Drops file in System32 directory 1 IoCs

Processes:

de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\WINWORD.exe de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WINWORD.exe	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.execmd.execmd.exe

description	pid	process	target process
PID 792 wrote to memory of 2044	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	cmd.exe
PID 792 wrote to memory of 2044	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	cmd.exe
PID 792 wrote to memory of 2044	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	cmd.exe
PID 792 wrote to memory of 2044	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	cmd.exe
PID 792 wrote to memory of 1104	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	cmd.exe
PID 792 wrote to memory of 1104	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	cmd.exe
PID 792 wrote to memory of 1104	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	cmd.exe
PID 792 wrote to memory of 1104	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	cmd.exe
PID 2044 wrote to memory of 1976	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 1976	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 1976	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 1976	2044	cmd.exe	cmd.exe
PID 1104 wrote to memory of 1800	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1800	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1800	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1800	1104	cmd.exe	netsh.exe
PID 2044 wrote to memory of 1224	2044	cmd.exe	icacls.exe
PID 2044 wrote to memory of 1224	2044	cmd.exe	icacls.exe
PID 2044 wrote to memory of 1224	2044	cmd.exe	icacls.exe
PID 2044 wrote to memory of 1224	2044	cmd.exe	icacls.exe
PID 1104 wrote to memory of 1736	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1736	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1736	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1736	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1732	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1732	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1732	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1732	1104	cmd.exe	netsh.exe
PID 792 wrote to memory of 1516	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	WINWORD.exe
PID 792 wrote to memory of 1516	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	WINWORD.exe
PID 792 wrote to memory of 1516	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	WINWORD.exe
PID 792 wrote to memory of 1516	792	de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe	WINWORD.exe

C:\Users\Admin\AppData\Local\Temp\de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe
"C:\Users\Admin\AppData\Local\Temp\de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ECHO Y|icacls C:\Users\Admin\AppData\Roaming/divandshare.exe /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"
3⤵
PID:1976

C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming/divandshare.exe /grant administrators:F
3⤵
- Modifies file permissions
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k (netsh advfirewall firewall delete rule name="TCP/UDP Control" | netsh advfirewall firewall add rule name="TCP/UDP Control" dir=in action=allow protocol=TCP localport=1930 | netsh advfirewall firewall add rule name="TCP/UDP Control" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe") & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="TCP/UDP Control"
3⤵
PID:1800

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="TCP/UDP Control" dir=in action=allow protocol=TCP localport=1930
3⤵
PID:1736

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="TCP/UDP Control" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe"
3⤵
PID:1732

C:\Windows\SysWOW64\WINWORD.exe
"C:\Windows\System32\WINWORD.exe"
2⤵
- Executes dropped EXE
PID:1516

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\divandshare.exe
MD5
ab7a640c6b203e4675a45a08eb96a998

SHA1
89b5ba11a035ef784854c94df020d283b6802b82

SHA256
de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149

SHA512
0168c99f2a7a71f5bd8f629083288723f0e7997423e787af46828fabd3b887395ad31539e0623e6b0bbcd3dde926c7e4a68f78dcec088cc5e3ae227a34eadf55

Download Submit
C:\Windows\SysWOW64\WINWORD.exe
MD5
f695125cf286818943bc338deb796132

SHA1
e6de390e98c0c854a3b58950e00baa2abada9090

SHA256
a0d4439f9806edaf86751e0cffe63c762034080cddb7c9b6e7eaed74b0e79120

SHA512
bcfe9a3fdec4239133527fabf6a9cccf77c7fe0dee76a4dbf9c8c88b24154871c96aec5c7a954e2168f03594971d73a6c7a0ef074f0be65304aeb5eb455b60ac

Download Submit
C:\Windows\SysWOW64\WINWORD.exe
MD5
f695125cf286818943bc338deb796132

SHA1
e6de390e98c0c854a3b58950e00baa2abada9090

SHA256
a0d4439f9806edaf86751e0cffe63c762034080cddb7c9b6e7eaed74b0e79120

SHA512
bcfe9a3fdec4239133527fabf6a9cccf77c7fe0dee76a4dbf9c8c88b24154871c96aec5c7a954e2168f03594971d73a6c7a0ef074f0be65304aeb5eb455b60ac

Download Submit
\Windows\SysWOW64\WINWORD.exe
MD5
f695125cf286818943bc338deb796132

SHA1
e6de390e98c0c854a3b58950e00baa2abada9090

SHA256
a0d4439f9806edaf86751e0cffe63c762034080cddb7c9b6e7eaed74b0e79120

SHA512
bcfe9a3fdec4239133527fabf6a9cccf77c7fe0dee76a4dbf9c8c88b24154871c96aec5c7a954e2168f03594971d73a6c7a0ef074f0be65304aeb5eb455b60ac

Download Submit
\Windows\SysWOW64\WINWORD.exe
MD5
f695125cf286818943bc338deb796132

SHA1
e6de390e98c0c854a3b58950e00baa2abada9090

SHA256
a0d4439f9806edaf86751e0cffe63c762034080cddb7c9b6e7eaed74b0e79120

SHA512
bcfe9a3fdec4239133527fabf6a9cccf77c7fe0dee76a4dbf9c8c88b24154871c96aec5c7a954e2168f03594971d73a6c7a0ef074f0be65304aeb5eb455b60ac

Download Submit
memory/792-3-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/792-2-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/1104-5-0x0000000000000000-mapping.dmp

Download
memory/1224-8-0x0000000000000000-mapping.dmp

Download
memory/1516-17-0x0000000000000000-mapping.dmp

Download
memory/1516-22-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1716-21-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download
memory/1732-10-0x0000000000000000-mapping.dmp

Download
memory/1736-9-0x0000000000000000-mapping.dmp

Download
memory/1800-7-0x0000000000000000-mapping.dmp

Download
memory/1976-6-0x0000000000000000-mapping.dmp

Download
memory/2044-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads