xmrig | cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670

General

Target

cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe
Size

352KB
MD5

dd21a3a58b5142e8a7de2ef73066f309
SHA1

f91f60a05764bc1739f26701c07a0486eaf94308
SHA256

cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670
SHA512

9314f6ea0c08c910c05380234709d1722652725aa8178be1213753c73227d2dfc8c54aba3cd5f45890ed91665b8d4c0c733062e231047989ca8dc9e8f8b8ab80

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

dialript.exe~9D3F.tmpRdpStend.exe

pid process

3036 dialript.exe
740 ~9D3F.tmp
60 RdpStend.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ddodtmac = "C:\\Users\\Admin\\AppData\\Roaming\\cmstdiag\\dialript.exe"	cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe

Drops file in System32 directory 1 IoCs

Processes:

cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe

description ioc process

File created C:\Windows\SysWOW64\RdpStend.exe cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\RdpStend.exe	cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3856 WINWORD.EXE
3856 WINWORD.EXE

pid	process
3856	WINWORD.EXE
3856	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dialript.exeExplorer.EXERdpStend.exe

pid	process
3036	dialript.exe
3036	dialript.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE
60	RdpStend.exe
60	RdpStend.exe
3048	Explorer.EXE
3048	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE

pid	process
3048	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
3048 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
3048 Explorer.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

3856 WINWORD.EXE
3856 WINWORD.EXE
3856 WINWORD.EXE
3856 WINWORD.EXE
3856 WINWORD.EXE
3856 WINWORD.EXE
3856 WINWORD.EXE
3856 WINWORD.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE

pid	process
3048	Explorer.EXE
3048	Explorer.EXE

pid	process
3048	Explorer.EXE
3048	Explorer.EXE

pid	process
3856	WINWORD.EXE
3856	WINWORD.EXE
3856	WINWORD.EXE
3856	WINWORD.EXE
3856	WINWORD.EXE
3856	WINWORD.EXE
3856	WINWORD.EXE
3856	WINWORD.EXE

pid	process
3048	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exedialript.exe~9D3F.tmp

description	pid	process	target process
PID 4656 wrote to memory of 3036	4656	cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe	dialript.exe
PID 4656 wrote to memory of 3036	4656	cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe	dialript.exe
PID 4656 wrote to memory of 3036	4656	cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe	dialript.exe
PID 3036 wrote to memory of 740	3036	dialript.exe	~9D3F.tmp
PID 3036 wrote to memory of 740	3036	dialript.exe	~9D3F.tmp
PID 740 wrote to memory of 3048	740	~9D3F.tmp	Explorer.EXE
PID 4656 wrote to memory of 3856	4656	cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe	WINWORD.EXE
PID 4656 wrote to memory of 3856	4656	cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe	WINWORD.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3048

C:\Users\Admin\AppData\Local\Temp\cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe
"C:\Users\Admin\AppData\Local\Temp\cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Roaming\cmstdiag\dialript.exe
"C:\Users\Admin\AppData\Roaming\cmstdiag\dialript.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\~9D3F.tmp
"C:\Users\Admin\AppData\Local\Temp\~9D3F.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~9DEB.tmp.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\SysWOW64\RdpStend.exe
C:\Windows\SysWOW64\RdpStend.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:60

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~9D3F.tmp
MD5
81c1a1c7a67e759cbb883aca3f7b0426

SHA1
563be97aef63e41c37c0372a086014ed3ec53dc9

SHA256
aa0929f50e4ba7da5751009b444e6d0e180b39a81155c0ae92c527a3e6336d9c

SHA512
10b4dd13edb0091fa3a3f54129a5a352644c2434f052f177e6e31800ca6e2c17cab3b25a5749479d11861dcec93d70d590046e60690a6740782e662051a8b419

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9D3F.tmp
MD5
81c1a1c7a67e759cbb883aca3f7b0426

SHA1
563be97aef63e41c37c0372a086014ed3ec53dc9

SHA256
aa0929f50e4ba7da5751009b444e6d0e180b39a81155c0ae92c527a3e6336d9c

SHA512
10b4dd13edb0091fa3a3f54129a5a352644c2434f052f177e6e31800ca6e2c17cab3b25a5749479d11861dcec93d70d590046e60690a6740782e662051a8b419

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9DEB.tmp.docx
MD5
fee3944c7c5bf660e2ee3ebeee861ab1

SHA1
0808cf02731aa1560ae53591339fee7189d29823

SHA256
f0022e17f4b613886f6122fa2938c8522f639cb98a4816e0e4a913ab4805cf78

SHA512
6a6977649f20489230de512c2cfc6ab96bf6cb931b0500c8b0090f0c13f3db1853eea25df4159d33c53f4ec0b3f2ee83a152846afb24ed491a8d7ff75ff823e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
MD5
ae534ed223735f153e8772b225dbb5e3

SHA1
9fab1c785c156e80f18465f6768128b631afe178

SHA256
2d86f33226ec866b49d62ba09c75137e0a4c2065a011689249ecd327981e8ae4

SHA512
3adee164449ed8609d5c1f1159e8c58f6f1494d6daa3b75df9a51b15db23006cb5589750d5457ce52e93afeab0b3ab22c53bbcb0134df8ecbbe8a87dcf6f7844

Download Submit
C:\Users\Admin\AppData\Roaming\cmstdiag\dialript.exe
MD5
6033c8215fb4f429171ceea39599c021

SHA1
04643c00dd57b24684dba348745ffe70020ea3f4

SHA256
46fc5986b6058ecbbfa90c1732a1e95a690d2d6583094f4eb7c9c59c170ccb66

SHA512
41d65b02d47a9ebeaefa50adca7b27e0f4e6809b5cfee216e0fce325e29f1083e8e1eecdf51d5ff0f9e914d0c25a4de604a00477fc68d7245e1d591d60456237

Download Submit
C:\Users\Admin\AppData\Roaming\cmstdiag\dialript.exe
MD5
6033c8215fb4f429171ceea39599c021

SHA1
04643c00dd57b24684dba348745ffe70020ea3f4

SHA256
46fc5986b6058ecbbfa90c1732a1e95a690d2d6583094f4eb7c9c59c170ccb66

SHA512
41d65b02d47a9ebeaefa50adca7b27e0f4e6809b5cfee216e0fce325e29f1083e8e1eecdf51d5ff0f9e914d0c25a4de604a00477fc68d7245e1d591d60456237

Download Submit
C:\Windows\SysWOW64\RdpStend.exe
MD5
dd21a3a58b5142e8a7de2ef73066f309

SHA1
f91f60a05764bc1739f26701c07a0486eaf94308

SHA256
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670

SHA512
9314f6ea0c08c910c05380234709d1722652725aa8178be1213753c73227d2dfc8c54aba3cd5f45890ed91665b8d4c0c733062e231047989ca8dc9e8f8b8ab80

Download Submit
C:\Windows\SysWOW64\RdpStend.exe
MD5
dd21a3a58b5142e8a7de2ef73066f309

SHA1
f91f60a05764bc1739f26701c07a0486eaf94308

SHA256
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670

SHA512
9314f6ea0c08c910c05380234709d1722652725aa8178be1213753c73227d2dfc8c54aba3cd5f45890ed91665b8d4c0c733062e231047989ca8dc9e8f8b8ab80

Download Submit
memory/60-125-0x0000000000170000-0x00000000001DC000-memory.dmp

Filesize
432KB

Download
memory/740-118-0x0000000000000000-mapping.dmp

Download
memory/3036-115-0x0000000000000000-mapping.dmp

Download
memory/3036-123-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/3048-124-0x0000000000A90000-0x0000000000AD3000-memory.dmp

Filesize
268KB

Download
memory/3856-129-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/3856-128-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/3856-127-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/3856-130-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/3856-132-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/3856-131-0x00007FFA592C0000-0x00007FFA5BDE3000-memory.dmp

Filesize
43.1MB

Download
memory/3856-135-0x00007FFA53D40000-0x00007FFA54E2E000-memory.dmp

Filesize
16.9MB

Download
memory/3856-136-0x00007FFA51E40000-0x00007FFA53D35000-memory.dmp

Filesize
31.0MB

Download
memory/3856-126-0x0000000000000000-mapping.dmp

Download
memory/4656-114-0x0000000001350000-0x00000000013BC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads