xmrig | e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924

General

Target

e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe
Size

294KB
MD5

35f5db065caece60369552162f60541a
SHA1

465a3153f210ab5bba612f96962275c68f356ee4
SHA256

e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924
SHA512

11b0dbe770af86619d6db04bf54f52031b901cb75fc4fcaa32c9ee5421f92debff2bef2eb00d02ab039aab88f33c2c20f5ab2620ffedf3d08071a6d2ce2a9f96

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

cttufsui.exechoigent.exe~1572.tmp

pid process

1800 cttufsui.exe
1888 choigent.exe
2112 ~1572.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdated = "C:\\Users\\Admin\\AppData\\Roaming\\dllhsult\\cttufsui.exe"	e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe

Drops file in System32 directory 1 IoCs

Processes:

e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe

description ioc process

File created C:\Windows\SysWOW64\choigent.exe e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\choigent.exe	e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe

Office document contains embedded OLE objects 1 IoCs

Detected embedded OLE objects in Office documents.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~15A1.tmp.docx	office_ole_embedded

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2800 WINWORD.EXE
2800 WINWORD.EXE

pid	process
2800	WINWORD.EXE
2800	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cttufsui.exeExplorer.EXEchoigent.exe

pid	process
1800	cttufsui.exe
1800	cttufsui.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE
1888	choigent.exe
1888	choigent.exe
2888	Explorer.EXE
2888	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2888 Explorer.EXE

pid	process
2888	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE
Token: SeShutdownPrivilege	2888	Explorer.EXE
Token: SeCreatePagefilePrivilege	2888	Explorer.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

2800 WINWORD.EXE
2800 WINWORD.EXE
2800 WINWORD.EXE
2800 WINWORD.EXE
2800 WINWORD.EXE
2800 WINWORD.EXE
2800 WINWORD.EXE
2800 WINWORD.EXE
2800 WINWORD.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2888 Explorer.EXE

pid	process
2800	WINWORD.EXE
2800	WINWORD.EXE
2800	WINWORD.EXE
2800	WINWORD.EXE
2800	WINWORD.EXE
2800	WINWORD.EXE
2800	WINWORD.EXE
2800	WINWORD.EXE
2800	WINWORD.EXE

pid	process
2888	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.execttufsui.exe~1572.tmp

description	pid	process	target process
PID 1016 wrote to memory of 1800	1016	e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe	cttufsui.exe
PID 1016 wrote to memory of 1800	1016	e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe	cttufsui.exe
PID 1016 wrote to memory of 1800	1016	e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe	cttufsui.exe
PID 1800 wrote to memory of 2112	1800	cttufsui.exe	~1572.tmp
PID 1800 wrote to memory of 2112	1800	cttufsui.exe	~1572.tmp
PID 2112 wrote to memory of 2888	2112	~1572.tmp	Explorer.EXE
PID 1016 wrote to memory of 2800	1016	e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe	WINWORD.EXE
PID 1016 wrote to memory of 2800	1016	e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe	WINWORD.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2888

C:\Users\Admin\AppData\Local\Temp\e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe
"C:\Users\Admin\AppData\Local\Temp\e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Roaming\dllhsult\cttufsui.exe
"C:\Users\Admin\AppData\Roaming\dllhsult\cttufsui.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\~1572.tmp
"C:\Users\Admin\AppData\Local\Temp\~1572.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~15A1.tmp.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\choigent.exe
C:\Windows\SysWOW64\choigent.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1572.tmp
MD5
804ba1be6768539cb2b6d129005a78bc

SHA1
0298df53d7ed71850ec9c2840a5aedd233a0ac88

SHA256
157a913751af580057e5eb9f24d2f5768d3a1872ec2421a37af75689f74ffa5e

SHA512
1b4e003c9be40666b7b620777c3986953625608ef790125274c9b4416150e1fc29d89d5a8ba4e3df23ae4bb5d14b9753dd0dbc8619e8ccde4854db2a83633fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1572.tmp
MD5
804ba1be6768539cb2b6d129005a78bc

SHA1
0298df53d7ed71850ec9c2840a5aedd233a0ac88

SHA256
157a913751af580057e5eb9f24d2f5768d3a1872ec2421a37af75689f74ffa5e

SHA512
1b4e003c9be40666b7b620777c3986953625608ef790125274c9b4416150e1fc29d89d5a8ba4e3df23ae4bb5d14b9753dd0dbc8619e8ccde4854db2a83633fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~15A1.tmp.docx
MD5
c4e99a484a7fdd2ba0aa42893ba2977c

SHA1
609c444012fd6b11115dd0aa33729d863a5745c1

SHA256
306a825a472c5f0967b7a72a426d0fd30313354abdf959d27db85aa33bb1c94c

SHA512
6e0534c8e5fad4d9829624bd3229dce69e5b9140540768b643aef70e6768e006cbe7365d96bb10d29aadbb9bcf28554cb37c2c1ba28e593c10bebd11a367d75e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
MD5
7f1d98d03afe344a89cd4f71ca5209ed

SHA1
2861a07173c85f26d35cf4fc199a7da05d7e3354

SHA256
85a2e6155ca66a1feb4fc92238a1b34bf42b3380afc773b2b76501a96ba5c710

SHA512
dcc596a1761c97660888e68475991ef6d05085533962d0f6554d842a279136ca6a8b9aa85b54b91cb853f9bdac3518d6b18671e129adec26555ace576395b224

Download Submit
C:\Users\Admin\AppData\Roaming\dllhsult\cttufsui.exe
MD5
4450c2bbffc831a8ce59af4e9e79d75e

SHA1
40fe250b7e82e722005965f6a7b12f076f758a9b

SHA256
ec3ebc273a5a9d0f18570984edf5301b5ec5d196d72593087f3d7225fef08975

SHA512
7121824739da40b7a55e3065f4ffee0f069de033b44d4961b39e3854cfda00a5b10d2711fee568a08ab38373f6a46669d9c36cb3ccf64873cc78d7e05b90083b

Download Submit
C:\Users\Admin\AppData\Roaming\dllhsult\cttufsui.exe
MD5
4450c2bbffc831a8ce59af4e9e79d75e

SHA1
40fe250b7e82e722005965f6a7b12f076f758a9b

SHA256
ec3ebc273a5a9d0f18570984edf5301b5ec5d196d72593087f3d7225fef08975

SHA512
7121824739da40b7a55e3065f4ffee0f069de033b44d4961b39e3854cfda00a5b10d2711fee568a08ab38373f6a46669d9c36cb3ccf64873cc78d7e05b90083b

Download Submit
C:\Windows\SysWOW64\choigent.exe
MD5
35f5db065caece60369552162f60541a

SHA1
465a3153f210ab5bba612f96962275c68f356ee4

SHA256
e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924

SHA512
11b0dbe770af86619d6db04bf54f52031b901cb75fc4fcaa32c9ee5421f92debff2bef2eb00d02ab039aab88f33c2c20f5ab2620ffedf3d08071a6d2ce2a9f96

Download Submit
C:\Windows\SysWOW64\choigent.exe
MD5
35f5db065caece60369552162f60541a

SHA1
465a3153f210ab5bba612f96962275c68f356ee4

SHA256
e70d9c40dd3433fce51caab8da163820f67028daf9c06df865d8c564d22aa924

SHA512
11b0dbe770af86619d6db04bf54f52031b901cb75fc4fcaa32c9ee5421f92debff2bef2eb00d02ab039aab88f33c2c20f5ab2620ffedf3d08071a6d2ce2a9f96

Download Submit
memory/1016-114-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/1800-115-0x0000000000000000-mapping.dmp

Download
memory/1800-123-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/2112-120-0x0000000000000000-mapping.dmp

Download
memory/2800-130-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2800-128-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2800-129-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2800-127-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2800-132-0x00007FFC964C0000-0x00007FFC964D0000-memory.dmp

Filesize
64KB

Download
memory/2800-131-0x00007FFCB7090000-0x00007FFCB9BB3000-memory.dmp

Filesize
43.1MB

Download
memory/2800-135-0x00007FFCB2AC0000-0x00007FFCB3BAE000-memory.dmp

Filesize
16.9MB

Download
memory/2800-136-0x00007FFCAF9A0000-0x00007FFCB1895000-memory.dmp

Filesize
31.0MB

Download
memory/2800-125-0x0000000000000000-mapping.dmp

Download
memory/2888-126-0x0000000002F70000-0x0000000002FB3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads