xmrig | a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b

General

Target

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
Size

517KB
MD5

0d0d474a1e1a09a0d9d5e8f375438475
SHA1

6e7ddc644600681ea16847191d2fe2b16375f0a7
SHA256

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b
SHA512

3d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

Settance.exe~7341.tmpCameutil.exe

pid process

2844 Settance.exe
224 ~7341.tmp
228 Cameutil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoinfo = "C:\\Users\\Admin\\AppData\\Roaming\\icactall\\Settance.exe"	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

Drops file in System32 directory 1 IoCs

Processes:

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

description ioc process

File created C:\Windows\SysWOW64\Cameutil.exe a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\Cameutil.exe	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

776 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Settance.exeExplorer.EXECameutil.exe

pid	process
2844	Settance.exe
2844	Settance.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE
228	Cameutil.exe
228	Cameutil.exe
3052	Explorer.EXE
3052	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

Explorer.EXE

pid	process
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
3052 Explorer.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exeSettance.exe~7341.tmp

description	pid	process	target process
PID 744 wrote to memory of 2844	744	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	Settance.exe
PID 744 wrote to memory of 2844	744	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	Settance.exe
PID 744 wrote to memory of 2844	744	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	Settance.exe
PID 2844 wrote to memory of 224	2844	Settance.exe	~7341.tmp
PID 2844 wrote to memory of 224	2844	Settance.exe	~7341.tmp
PID 224 wrote to memory of 3052	224	~7341.tmp	Explorer.EXE
PID 744 wrote to memory of 776	744	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	EXCEL.EXE
PID 744 wrote to memory of 776	744	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	EXCEL.EXE
PID 744 wrote to memory of 776	744	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	EXCEL.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3052
- C:\Users\Admin\AppData\Local\Temp\a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
  "C:\Users\Admin\AppData\Local\Temp\a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\Roaming\icactall\Settance.exe
    "C:\Users\Admin\AppData\Roaming\icactall\Settance.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\~7341.tmp
      "C:\Users\Admin\AppData\Local\Temp\~7341.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:224
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\~73ED.tmp.xlsx"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:776

C:\Windows\SysWOW64\Cameutil.exe
C:\Windows\SysWOW64\Cameutil.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~7341.tmp

MD5
b1fb7a3de4afff73216bdd998f99003c

SHA1
c4d80769e0df37096c7372f4bbe4d5643d18bf6a

SHA256
c88c50804998eb2446eeacc1e148fce48c8880071a61dd006dbebd9ff0016f41

SHA512
95ee28e64faba3694c1d3a7e537378e696f1e2b8013c0ecf5aea74b1b94be29c3f17391a1dbdbe65b86aa3e7ec8be13df73986872ba1c34a378c14c8b92b565a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7341.tmp

MD5
b1fb7a3de4afff73216bdd998f99003c

SHA1
c4d80769e0df37096c7372f4bbe4d5643d18bf6a

SHA256
c88c50804998eb2446eeacc1e148fce48c8880071a61dd006dbebd9ff0016f41

SHA512
95ee28e64faba3694c1d3a7e537378e696f1e2b8013c0ecf5aea74b1b94be29c3f17391a1dbdbe65b86aa3e7ec8be13df73986872ba1c34a378c14c8b92b565a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~73ED.tmp.xlsx

MD5
c7c71ed0e92671007caa33cf38a93439

SHA1
ac7fd84c13f7c9b2121b95444bd033501c760e83

SHA256
6692da61467de18bf234cfe1bb3424fee30156b71a23897b3c19661ab812645b

SHA512
6bfeee0f678a602d8929134b0ff8e42d2ffc475ab5820ab3c2c13dd941c65d82c97d842c7cf5f0a3b8cc6295a973d8a1e0ca6848caff19143ae09b2307f1b9ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\icactall\Settance.exe

MD5
e1cf05b9dad3984890aed73911c1ca32

SHA1
cd1242b19282696200e07a16aff1665f715e6e0b

SHA256
9a4a6a3daedf42230936fccedddf13881001cee966bf3931016958455fd9ea4e

SHA512
7a5f3ff97eb0866d5b192d9d13e8c025ac916bd4bec60bb5c3e61adf3317fbd41c5c1c3a5741544e3c56bb2051a6b632347bbe6374ac0a42c0d7e35e502991ac

Download Submit
C:\Users\Admin\AppData\Roaming\icactall\Settance.exe

MD5
e1cf05b9dad3984890aed73911c1ca32

SHA1
cd1242b19282696200e07a16aff1665f715e6e0b

SHA256
9a4a6a3daedf42230936fccedddf13881001cee966bf3931016958455fd9ea4e

SHA512
7a5f3ff97eb0866d5b192d9d13e8c025ac916bd4bec60bb5c3e61adf3317fbd41c5c1c3a5741544e3c56bb2051a6b632347bbe6374ac0a42c0d7e35e502991ac

Download Submit
C:\Windows\SysWOW64\Cameutil.exe

MD5
0d0d474a1e1a09a0d9d5e8f375438475

SHA1
6e7ddc644600681ea16847191d2fe2b16375f0a7

SHA256
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b

SHA512
3d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a

Download Submit
C:\Windows\SysWOW64\Cameutil.exe

MD5
0d0d474a1e1a09a0d9d5e8f375438475

SHA1
6e7ddc644600681ea16847191d2fe2b16375f0a7

SHA256
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b

SHA512
3d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a

Download Submit
memory/224-118-0x0000000000000000-mapping.dmp

Download
memory/228-125-0x0000000001300000-0x0000000001395000-memory.dmp

Filesize
596KB

Download
memory/744-114-0x0000000000900000-0x00000000009AE000-memory.dmp

Filesize
696KB

Download
memory/776-129-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-126-0x0000000000000000-mapping.dmp

Download
memory/776-127-0x00007FF7C0050000-0x00007FF7C3606000-memory.dmp

Filesize
53.7MB

Download
memory/776-128-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-130-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-131-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-134-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-135-0x00007FFDF84C0000-0x00007FFDF95AE000-memory.dmp

Filesize
16.9MB

Download
memory/776-136-0x00007FFDF65C0000-0x00007FFDF84B5000-memory.dmp

Filesize
31.0MB

Download
memory/2844-123-0x0000000000900000-0x0000000000A4A000-memory.dmp

Filesize
1.3MB

Download
memory/2844-115-0x0000000000000000-mapping.dmp

Download
memory/3052-124-0x00000000012E0000-0x0000000001323000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads