xmrig | 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88

General

Target

6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe
Size

343KB
MD5

6cf1ef6ae9f35d89efbae669e3fa59cf
SHA1

a19ce57386dae3750e7e326a024da77717047d7d
SHA256

6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88
SHA512

abd59863bae3c8342e1583adc5df2ad383b0b3273d18da52aba1b2dec815f2415fc2bd4ded90c18a5a16c37ba9d1defe86432457111fbf10b5b95ba0861824e7

Score

10^/10

xmrig macro miner persistence xlm

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

dllhhelp.exeLaungman.exe~D680.tmp

pid process

3668 dllhhelp.exe
3500 Laungman.exe
3132 ~D680.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~D6BE.tmp.doc	office_xlm_macros

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ktmugman = "C:\\Users\\Admin\\AppData\\Roaming\\attrrcfg\\dllhhelp.exe"	6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe

Drops file in System32 directory 1 IoCs

Processes:

6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe

description ioc process

File created C:\Windows\SysWOW64\Laungman.exe 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\Laungman.exe	6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

Processes:

6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2864 WINWORD.EXE
2864 WINWORD.EXE

pid	process
2864	WINWORD.EXE
2864	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dllhhelp.exeExplorer.EXELaungman.exe

pid	process
3668	dllhhelp.exe
3668	dllhhelp.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
3500	Laungman.exe
2996	Explorer.EXE
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe
3500	Laungman.exe
2996	Explorer.EXE
3500	Laungman.exe
2996	Explorer.EXE
3500	Laungman.exe
3500	Laungman.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE

pid	process
2996	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

2864 WINWORD.EXE
2864 WINWORD.EXE
2864 WINWORD.EXE
2864 WINWORD.EXE
2864 WINWORD.EXE
2864 WINWORD.EXE
2864 WINWORD.EXE
2864 WINWORD.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE

pid	process
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE

pid	process
2996	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exedllhhelp.exe~D680.tmp

description	pid	process	target process
PID 636 wrote to memory of 3668	636	6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe	dllhhelp.exe
PID 636 wrote to memory of 3668	636	6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe	dllhhelp.exe
PID 636 wrote to memory of 3668	636	6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe	dllhhelp.exe
PID 3668 wrote to memory of 3132	3668	dllhhelp.exe	~D680.tmp
PID 3668 wrote to memory of 3132	3668	dllhhelp.exe	~D680.tmp
PID 3132 wrote to memory of 2996	3132	~D680.tmp	Explorer.EXE
PID 636 wrote to memory of 2864	636	6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe	WINWORD.EXE
PID 636 wrote to memory of 2864	636	6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe	WINWORD.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2996

C:\Users\Admin\AppData\Local\Temp\6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe
"C:\Users\Admin\AppData\Local\Temp\6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Roaming\attrrcfg\dllhhelp.exe
"C:\Users\Admin\AppData\Roaming\attrrcfg\dllhhelp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\~D680.tmp
"C:\Users\Admin\AppData\Local\Temp\~D680.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~D6BE.tmp.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\SysWOW64\Laungman.exe
C:\Windows\SysWOW64\Laungman.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~D680.tmp

MD5
0715d8c9d313277842927df89ce0d57e

SHA1
e7d461747ed40f7ebf843475df35432122f4c386

SHA256
695780a282565835535396be705633569858a18eaa728067ba0f98e23420386a

SHA512
7cd2ac3a20a425d87468964f52e6e440b35e49838866618cc1584425076610a81a52b0c01e3f1fb38ed3d165f4a1abe87ab6e10d5441fd9f3eb33c261a2d3c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\~D680.tmp

MD5
0715d8c9d313277842927df89ce0d57e

SHA1
e7d461747ed40f7ebf843475df35432122f4c386

SHA256
695780a282565835535396be705633569858a18eaa728067ba0f98e23420386a

SHA512
7cd2ac3a20a425d87468964f52e6e440b35e49838866618cc1584425076610a81a52b0c01e3f1fb38ed3d165f4a1abe87ab6e10d5441fd9f3eb33c261a2d3c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\~D6BE.tmp.doc

MD5
7d5a60d00374d3a30b057a14e9620010

SHA1
6cdc63abda3aabb9b895042e5a3ab1adac706c07

SHA256
9c8c0a5b14ae306533c4391dc700f8adf7b6dbdd7afc582ba031ea34d072aaca

SHA512
d3ffa37623a7d49f1ecf70fe514af247da6fea8e7b5f5aca57f2de903182f99990112f533f82fecb3d41d6ff4e39a8fdac97c48d711d341710de909befd0dcb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5
73d0c3f91da66d59ecba468b0bbfd85f

SHA1
6376f4020bdbf2456b39128eefd227cd65cb982d

SHA256
ee75ddf27fc7d0d5afcaea06c2ec0ce2f2e4f202d4a6b327b8540154578a438c

SHA512
7398bfa1129a21626ac9a04c1004e643c645ec1b9bb7c8f520942e4e399123c8d080218b78ef067320b66fccb99540075a337d37b3cd785b29e48412588ede8c

Download Submit
C:\Users\Admin\AppData\Roaming\attrrcfg\dllhhelp.exe

MD5
c6c4e5cc3eb7822cbb7a55e8b45fae26

SHA1
9dc0bf40dc41bef2ed38c0255d33a3723125db08

SHA256
31ea3cd0f29f637d0252e3a9e1b4f06f2abd8d1ba2bb5c1fb4ecb009aca0521c

SHA512
c73a40dc8b94817eb893cc25f5193427b249f55e1acd273f06112660b9cebe4b5a8a561a421b75329870ebae56e84c7f72b6930b0fed895c1fb38869f86cc605

Download Submit
C:\Users\Admin\AppData\Roaming\attrrcfg\dllhhelp.exe

MD5
c6c4e5cc3eb7822cbb7a55e8b45fae26

SHA1
9dc0bf40dc41bef2ed38c0255d33a3723125db08

SHA256
31ea3cd0f29f637d0252e3a9e1b4f06f2abd8d1ba2bb5c1fb4ecb009aca0521c

SHA512
c73a40dc8b94817eb893cc25f5193427b249f55e1acd273f06112660b9cebe4b5a8a561a421b75329870ebae56e84c7f72b6930b0fed895c1fb38869f86cc605

Download Submit
C:\Windows\SysWOW64\Laungman.exe

MD5
6cf1ef6ae9f35d89efbae669e3fa59cf

SHA1
a19ce57386dae3750e7e326a024da77717047d7d

SHA256
6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88

SHA512
abd59863bae3c8342e1583adc5df2ad383b0b3273d18da52aba1b2dec815f2415fc2bd4ded90c18a5a16c37ba9d1defe86432457111fbf10b5b95ba0861824e7

Download Submit
C:\Windows\SysWOW64\Laungman.exe

MD5
6cf1ef6ae9f35d89efbae669e3fa59cf

SHA1
a19ce57386dae3750e7e326a024da77717047d7d

SHA256
6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88

SHA512
abd59863bae3c8342e1583adc5df2ad383b0b3273d18da52aba1b2dec815f2415fc2bd4ded90c18a5a16c37ba9d1defe86432457111fbf10b5b95ba0861824e7

Download Submit
memory/636-114-0x0000000000900000-0x0000000000969000-memory.dmp

Filesize
420KB

Download
memory/2864-131-0x00007FFF717A0000-0x00007FFF742C3000-memory.dmp

Filesize
43.1MB

Download
memory/2864-136-0x00007FFF6A6E0000-0x00007FFF6C5D5000-memory.dmp

Filesize
31.0MB

Download
memory/2864-135-0x00007FFF6CDF0000-0x00007FFF6DEDE000-memory.dmp

Filesize
16.9MB

Download
memory/2864-126-0x0000000000000000-mapping.dmp

Download
memory/2864-127-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp

Filesize
64KB

Download
memory/2864-128-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp

Filesize
64KB

Download
memory/2864-129-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp

Filesize
64KB

Download
memory/2864-130-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp

Filesize
64KB

Download
memory/2864-132-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp

Filesize
64KB

Download
memory/2996-125-0x0000000000E20000-0x0000000000E63000-memory.dmp

Filesize
268KB

Download
memory/2996-201-0x00000000010C0000-0x00000000010D0000-memory.dmp

Filesize
64KB

Download
memory/2996-209-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-212-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-211-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-195-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-196-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-197-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-198-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-194-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/2996-200-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-210-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-199-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-203-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-204-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-205-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-206-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-207-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2996-208-0x00000000010C0000-0x00000000010D0000-memory.dmp

Filesize
64KB

Download
memory/2996-202-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3132-120-0x0000000000000000-mapping.dmp

Download
memory/3500-124-0x0000000000B50000-0x0000000000BB9000-memory.dmp

Filesize
420KB

Download
memory/3668-123-0x0000000000B10000-0x0000000000B50000-memory.dmp

Filesize
256KB

Download
memory/3668-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads