xmrig | 39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636

General

Target

39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe
Size

428KB
MD5

1b851741db97887f9c1232602b462a90
SHA1

1523dff727c1bb11f1b16a45b6fe4a8334eaaab5
SHA256

39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636
SHA512

6a71699dda1b3bd4f6d02ce4fcd88a7998ec2d301cb844ab74caa5a4ae446e7d953c97f5e75673630dccebbd4e7bffb10fa75083f45cc01630b389fea4b37a97

Score

10^/10

xmrig macro miner persistence xlm

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

calcst3g.exesorttion.exe~8FD2.tmp

pid process

2224 calcst3g.exe
1672 sorttion.exe
644 ~8FD2.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~904F.tmp.ppt	office_xlm_macros

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetCPing = "C:\\Users\\Admin\\AppData\\Roaming\\Instexer\\calcst3g.exe"	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe

Drops file in System32 directory 1 IoCs

Processes:

39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe

description ioc process

File created C:\Windows\SysWOW64\sorttion.exe 39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\sorttion.exe	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 1 IoCs

Processes:

39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2184 POWERPNT.EXE

pid	process
2184	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

calcst3g.exeExplorer.EXEsorttion.exe

pid	process
2224	calcst3g.exe
2224	calcst3g.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE
1672	sorttion.exe
1672	sorttion.exe
2740	Explorer.EXE
2740	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE

pid	process
2740	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

POWERPNT.EXEExplorer.EXE

pid process

2184 POWERPNT.EXE
2740 Explorer.EXE
2740 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE
2740 Explorer.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXE

pid process

2184 POWERPNT.EXE
2184 POWERPNT.EXE
2184 POWERPNT.EXE
2184 POWERPNT.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE

pid	process
2184	POWERPNT.EXE
2740	Explorer.EXE
2740	Explorer.EXE

pid	process
2740	Explorer.EXE
2740	Explorer.EXE

pid	process
2184	POWERPNT.EXE
2184	POWERPNT.EXE
2184	POWERPNT.EXE
2184	POWERPNT.EXE

pid	process
2740	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.execalcst3g.exe~8FD2.tmp

description	pid	process	target process
PID 1040 wrote to memory of 2224	1040	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe	calcst3g.exe
PID 1040 wrote to memory of 2224	1040	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe	calcst3g.exe
PID 1040 wrote to memory of 2224	1040	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe	calcst3g.exe
PID 2224 wrote to memory of 644	2224	calcst3g.exe	~8FD2.tmp
PID 2224 wrote to memory of 644	2224	calcst3g.exe	~8FD2.tmp
PID 644 wrote to memory of 2740	644	~8FD2.tmp	Explorer.EXE
PID 1040 wrote to memory of 2184	1040	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe	POWERPNT.EXE
PID 1040 wrote to memory of 2184	1040	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe	POWERPNT.EXE
PID 1040 wrote to memory of 2184	1040	39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe	POWERPNT.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:2740

C:\Users\Admin\AppData\Local\Temp\39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe
"C:\Users\Admin\AppData\Local\Temp\39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Roaming\Instexer\calcst3g.exe
"C:\Users\Admin\AppData\Roaming\Instexer\calcst3g.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\~8FD2.tmp
"C:\Users\Admin\AppData\Local\Temp\~8FD2.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\~904F.tmp.ppt" /ou ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\SysWOW64\sorttion.exe
C:\Windows\SysWOW64\sorttion.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~8FD2.tmp

MD5
fa3f39dcfd197e2143a4ec2a98fbbb99

SHA1
eb17051dc2f15738706f5c2707656542acb5bafb

SHA256
7875cab39968692339733d3dac65b61490c1f99a1cf72eceeff22969ab2f796a

SHA512
0000f251a81f839122875829bc270e06e18cce5e1facb9743294509985b23a6c12d480955bd97d82f89acc97c252f9b3efa8cf24cf8d22766a15b6d043d81877

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8FD2.tmp

MD5
fa3f39dcfd197e2143a4ec2a98fbbb99

SHA1
eb17051dc2f15738706f5c2707656542acb5bafb

SHA256
7875cab39968692339733d3dac65b61490c1f99a1cf72eceeff22969ab2f796a

SHA512
0000f251a81f839122875829bc270e06e18cce5e1facb9743294509985b23a6c12d480955bd97d82f89acc97c252f9b3efa8cf24cf8d22766a15b6d043d81877

Download Submit
C:\Users\Admin\AppData\Local\Temp\~904F.tmp.ppt

MD5
942f827c62fa92a31c777537bb38cf05

SHA1
be180a3e288dde356faebbc1e538596d77542e6d

SHA256
156f81df474e8dbfd97470edaff05d1cf2cf416ed1473bc7c79ef16c8b51a25e

SHA512
18145a4f0641244a005a328a6180eaaa44f799fca3d6edfeba58ce3940af7d72640a41822e2b59134bd27972cc3a6f7ca66edefdb128a41625e538a72cff3989

Download Submit
C:\Users\Admin\AppData\Roaming\Instexer\calcst3g.exe

MD5
e225d37c3248dcc6e6c8095133edb86d

SHA1
b8c6f0854b3de52741a6203a3c644f7fd8827629

SHA256
4d9d606d4906538644c87c6425ff8607b08425674e600e8836279b917269285f

SHA512
43ca896a4f7014ec40a0ca1b55507a7611d7af1f15153fe7cb09549a0fcefaf35d0edf3e90ca5ec99d6fd2433e3134550825fff1572da7ad2625ae9c0ab4d111

Download Submit
C:\Users\Admin\AppData\Roaming\Instexer\calcst3g.exe

MD5
e225d37c3248dcc6e6c8095133edb86d

SHA1
b8c6f0854b3de52741a6203a3c644f7fd8827629

SHA256
4d9d606d4906538644c87c6425ff8607b08425674e600e8836279b917269285f

SHA512
43ca896a4f7014ec40a0ca1b55507a7611d7af1f15153fe7cb09549a0fcefaf35d0edf3e90ca5ec99d6fd2433e3134550825fff1572da7ad2625ae9c0ab4d111

Download Submit
C:\Windows\SysWOW64\sorttion.exe

MD5
1b851741db97887f9c1232602b462a90

SHA1
1523dff727c1bb11f1b16a45b6fe4a8334eaaab5

SHA256
39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636

SHA512
6a71699dda1b3bd4f6d02ce4fcd88a7998ec2d301cb844ab74caa5a4ae446e7d953c97f5e75673630dccebbd4e7bffb10fa75083f45cc01630b389fea4b37a97

Download Submit
C:\Windows\SysWOW64\sorttion.exe

MD5
1b851741db97887f9c1232602b462a90

SHA1
1523dff727c1bb11f1b16a45b6fe4a8334eaaab5

SHA256
39a8becef66ccb3da484d4086b7c477d6d7a719055facef105ad8bed55764636

SHA512
6a71699dda1b3bd4f6d02ce4fcd88a7998ec2d301cb844ab74caa5a4ae446e7d953c97f5e75673630dccebbd4e7bffb10fa75083f45cc01630b389fea4b37a97

Download Submit
memory/644-118-0x0000000000000000-mapping.dmp

Download
memory/1040-114-0x0000000000A00000-0x0000000000A7F000-memory.dmp

Filesize
508KB

Download
memory/1672-125-0x0000000001540000-0x000000000168A000-memory.dmp

Filesize
1.3MB

Download
memory/2184-129-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/2184-126-0x0000000000000000-mapping.dmp

Download
memory/2184-127-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/2184-128-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/2184-130-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/2184-132-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/2184-131-0x00007FFC5CB50000-0x00007FFC5E72D000-memory.dmp

Filesize
27.9MB

Download
memory/2184-135-0x00007FFC5A1D0000-0x00007FFC5B2BE000-memory.dmp

Filesize
16.9MB

Download
memory/2184-136-0x00007FFC55990000-0x00007FFC57885000-memory.dmp

Filesize
31.0MB

Download
memory/2224-123-0x0000000000740000-0x000000000088A000-memory.dmp

Filesize
1.3MB

Download
memory/2224-115-0x0000000000000000-mapping.dmp

Download
memory/2740-124-0x0000000003260000-0x00000000032A3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads