xmrig | 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d

General

Target

6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe
Size

507KB
MD5

56a65bdcd8ac98ea90b9aec9bfe2b5e4
SHA1

189fde58d647edd83940de632dde978dd7a3823c
SHA256

6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d
SHA512

3005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f

Score

10^/10

xmrig macro miner persistence xlm

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

clicasks.exeevenlwiz.exe~F48.tmp

pid process

1824 clicasks.exe
1896 evenlwiz.exe
1744 ~F48.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~FC5.tmp.doc	office_xlm_macros

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\runoeown = "C:\\Users\\Admin\\AppData\\Roaming\\ddodpand\\clicasks.exe"	6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe

Drops file in System32 directory 1 IoCs

Processes:

6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe

description ioc process

File created C:\Windows\SysWOW64\evenlwiz.exe 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\evenlwiz.exe	6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

Processes:

6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2804 WINWORD.EXE
2804 WINWORD.EXE

pid	process
2804	WINWORD.EXE
2804	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

clicasks.exeExplorer.EXEevenlwiz.exe

pid	process
1824	clicasks.exe
1824	clicasks.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE
1896	evenlwiz.exe
1896	evenlwiz.exe
2888	Explorer.EXE
2888	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2888 Explorer.EXE

pid	process
2888	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

2804 WINWORD.EXE
2804 WINWORD.EXE
2804 WINWORD.EXE
2804 WINWORD.EXE
2804 WINWORD.EXE
2804 WINWORD.EXE
2804 WINWORD.EXE
2804 WINWORD.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2888 Explorer.EXE

pid	process
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE

pid	process
2888	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.execlicasks.exe~F48.tmp

description	pid	process	target process
PID 1016 wrote to memory of 1824	1016	6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe	clicasks.exe
PID 1016 wrote to memory of 1824	1016	6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe	clicasks.exe
PID 1016 wrote to memory of 1824	1016	6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe	clicasks.exe
PID 1824 wrote to memory of 1744	1824	clicasks.exe	~F48.tmp
PID 1824 wrote to memory of 1744	1824	clicasks.exe	~F48.tmp
PID 1744 wrote to memory of 2888	1744	~F48.tmp	Explorer.EXE
PID 1016 wrote to memory of 2804	1016	6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe	WINWORD.EXE
PID 1016 wrote to memory of 2804	1016	6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe	WINWORD.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2888

C:\Users\Admin\AppData\Local\Temp\6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe
"C:\Users\Admin\AppData\Local\Temp\6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Roaming\ddodpand\clicasks.exe
"C:\Users\Admin\AppData\Roaming\ddodpand\clicasks.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\~F48.tmp
"C:\Users\Admin\AppData\Local\Temp\~F48.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~FC5.tmp.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\SysWOW64\evenlwiz.exe
C:\Windows\SysWOW64\evenlwiz.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~F48.tmp
MD5
9616998334154666128a23b5befb9c75

SHA1
8d15f964fc999993672279b0f7f0d2e3fb3cd409

SHA256
1786928fc22ffd7a54681fa6e917b8f85f9fc0b5d8eee2a167b5faf7e6c9a84e

SHA512
4e24d758193cc374f5954f0093935103dd2d15b6b65de2c06420455c29adc870595dcb7fa491a7e4d6d7555b9c6a0bf413024a06a29c435068eee966f110c363

Download Submit
C:\Users\Admin\AppData\Local\Temp\~F48.tmp
MD5
9616998334154666128a23b5befb9c75

SHA1
8d15f964fc999993672279b0f7f0d2e3fb3cd409

SHA256
1786928fc22ffd7a54681fa6e917b8f85f9fc0b5d8eee2a167b5faf7e6c9a84e

SHA512
4e24d758193cc374f5954f0093935103dd2d15b6b65de2c06420455c29adc870595dcb7fa491a7e4d6d7555b9c6a0bf413024a06a29c435068eee966f110c363

Download Submit
C:\Users\Admin\AppData\Local\Temp\~FC5.tmp.doc
MD5
149f0098b9faa6bcf9a8f7f2aed29fc9

SHA1
244de26e12de2d715cf3a869e932a6d21b3a8b1e

SHA256
34969e2f18eae8c5b9bf68dbfe92aeee74c05206237498231d03d95a0ed1941f

SHA512
f98135fcaff860b66bf73fa46fb72375a5b9ee8865af113b793a85eaa5bc020c3f716c9b2709252008978071fd02be620428be8e39fefdd533a0cc3e1c207056

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
MD5
7f1d98d03afe344a89cd4f71ca5209ed

SHA1
2861a07173c85f26d35cf4fc199a7da05d7e3354

SHA256
85a2e6155ca66a1feb4fc92238a1b34bf42b3380afc773b2b76501a96ba5c710

SHA512
dcc596a1761c97660888e68475991ef6d05085533962d0f6554d842a279136ca6a8b9aa85b54b91cb853f9bdac3518d6b18671e129adec26555ace576395b224

Download Submit
C:\Users\Admin\AppData\Roaming\ddodpand\clicasks.exe
MD5
b0e552fecaed717807ea6412e4e496eb

SHA1
06d802d2f52849f934f0f6720adc959086e90851

SHA256
05ddf734e417de65703fecd20004c92933dc53788c910c349dd72fd7fc8ce5f9

SHA512
d86d796630727a6992761178aedd5fb4c491ab9a8ff8226a428428235e24712ec4c4ead36376b685e903c78dff3a1e7b0014cf17417ede4adc344954146bbacd

Download Submit
C:\Users\Admin\AppData\Roaming\ddodpand\clicasks.exe
MD5
b0e552fecaed717807ea6412e4e496eb

SHA1
06d802d2f52849f934f0f6720adc959086e90851

SHA256
05ddf734e417de65703fecd20004c92933dc53788c910c349dd72fd7fc8ce5f9

SHA512
d86d796630727a6992761178aedd5fb4c491ab9a8ff8226a428428235e24712ec4c4ead36376b685e903c78dff3a1e7b0014cf17417ede4adc344954146bbacd

Download Submit
C:\Windows\SysWOW64\evenlwiz.exe
MD5
56a65bdcd8ac98ea90b9aec9bfe2b5e4

SHA1
189fde58d647edd83940de632dde978dd7a3823c

SHA256
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d

SHA512
3005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f

Download Submit
C:\Windows\SysWOW64\evenlwiz.exe
MD5
56a65bdcd8ac98ea90b9aec9bfe2b5e4

SHA1
189fde58d647edd83940de632dde978dd7a3823c

SHA256
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d

SHA512
3005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f

Download Submit
memory/1016-114-0x00000000008C0000-0x0000000000952000-memory.dmp

Filesize
584KB

Download
memory/1744-119-0x0000000000000000-mapping.dmp

Download
memory/1824-115-0x0000000000000000-mapping.dmp

Download
memory/1824-124-0x0000000000900000-0x0000000000A4A000-memory.dmp

Filesize
1.3MB

Download
memory/1896-125-0x0000000001120000-0x00000000011CE000-memory.dmp

Filesize
696KB

Download
memory/2804-127-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2804-128-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2804-129-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2804-130-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2804-132-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2804-131-0x00007FFCB7090000-0x00007FFCB9BB3000-memory.dmp

Filesize
43.1MB

Download
memory/2804-135-0x00007FFCB2AC0000-0x00007FFCB3BAE000-memory.dmp

Filesize
16.9MB

Download
memory/2804-136-0x00007FFCAF9A0000-0x00007FFCB1895000-memory.dmp

Filesize
31.0MB

Download
memory/2804-123-0x0000000000000000-mapping.dmp

Download
memory/2888-126-0x0000000002F70000-0x0000000002FB3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads