xmrig | 72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed

General

Target

72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe
Size

507KB
MD5

23b72853593ab99c7b8e48fcd808d4e4
SHA1

b3384c345f9732bf33827c037af3c0bc7bc94ebb
SHA256

72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed
SHA512

eb5e6fa0b5251cfdea345aa64c77b44779fda40299822aa78333ddc8d1dfef0ba78937f3785847869fba68627f938117a04155d3b54842f16d5100ab58b7f10b

Score

10^/10

xmrig macro miner persistence xlm

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

NETSll32.exe~96C7.tmpDpiS.exe

pid process

2636 NETSll32.exe
2848 ~96C7.tmp
2796 DpiS.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~9744.tmp.ppt	office_xlm_macros

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\powe_isv = "C:\\Users\\Admin\\AppData\\Roaming\\msrareg\\NETSll32.exe"	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe

Drops file in System32 directory 1 IoCs

Processes:

72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe

description ioc process

File created C:\Windows\SysWOW64\DpiS.exe 72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\DpiS.exe	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Modifies registry class 1 IoCs

Processes:

72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2200 POWERPNT.EXE

pid	process
2200	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NETSll32.exeExplorer.EXEDpiS.exe

pid	process
2636	NETSll32.exe
2636	NETSll32.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE
2796	DpiS.exe
2796	DpiS.exe
3016	Explorer.EXE
3016	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

pid	process
3016	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

2200 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXE

pid process

2200 POWERPNT.EXE
2200 POWERPNT.EXE
2200 POWERPNT.EXE
2200 POWERPNT.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

pid	process
2200	POWERPNT.EXE

pid	process
2200	POWERPNT.EXE
2200	POWERPNT.EXE
2200	POWERPNT.EXE
2200	POWERPNT.EXE

pid	process
3016	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exeNETSll32.exe~96C7.tmp

description	pid	process	target process
PID 408 wrote to memory of 2636	408	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe	NETSll32.exe
PID 408 wrote to memory of 2636	408	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe	NETSll32.exe
PID 408 wrote to memory of 2636	408	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe	NETSll32.exe
PID 2636 wrote to memory of 2848	2636	NETSll32.exe	~96C7.tmp
PID 2636 wrote to memory of 2848	2636	NETSll32.exe	~96C7.tmp
PID 2848 wrote to memory of 3016	2848	~96C7.tmp	Explorer.EXE
PID 408 wrote to memory of 2200	408	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe	POWERPNT.EXE
PID 408 wrote to memory of 2200	408	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe	POWERPNT.EXE
PID 408 wrote to memory of 2200	408	72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe	POWERPNT.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3016

C:\Users\Admin\AppData\Local\Temp\72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe
"C:\Users\Admin\AppData\Local\Temp\72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Roaming\msrareg\NETSll32.exe
"C:\Users\Admin\AppData\Roaming\msrareg\NETSll32.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\~96C7.tmp
"C:\Users\Admin\AppData\Local\Temp\~96C7.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\~9744.tmp.ppt" /ou ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Windows\SysWOW64\DpiS.exe
C:\Windows\SysWOW64\DpiS.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~96C7.tmp

MD5
cb63ac125df50bfd7f600a2c108104d7

SHA1
4f8b4c598ba11f1a27a0851750be7393bab2f644

SHA256
c5da0d968378ccab34b3b397de2344e3469e98251d86190e956e28a84088883f

SHA512
cbc28501191b2448b88f1be21874535b8210ffe42324aa508054c5b67389a05dde19acbcf08e4ad80cba77e94ab707a884b77e1f51ccf9ea05a99c52e1b804a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~96C7.tmp

MD5
cb63ac125df50bfd7f600a2c108104d7

SHA1
4f8b4c598ba11f1a27a0851750be7393bab2f644

SHA256
c5da0d968378ccab34b3b397de2344e3469e98251d86190e956e28a84088883f

SHA512
cbc28501191b2448b88f1be21874535b8210ffe42324aa508054c5b67389a05dde19acbcf08e4ad80cba77e94ab707a884b77e1f51ccf9ea05a99c52e1b804a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9744.tmp.ppt

MD5
d24994bb034778c95e54c8d22ebb08e2

SHA1
6fe25ec8d3c34a081a6eda7286f14208c1d9d834

SHA256
72fb2cf9df19f135875c1eac6a9b70709aff2055c213676e88e6a32da3d52dc1

SHA512
ce9bc85e91529feb3c322172257199b2edf8e474e5101107b0f13b9e08cc29a548a086b56958c099c43e4703efea95c02d0d3dcd6cc07749ddc4d6c9862de375

Download Submit
C:\Users\Admin\AppData\Roaming\msrareg\NETSll32.exe

MD5
a5230082328e85db5f7bfcdabe5c7887

SHA1
ee3422e59fe2f951ce911332951449f3f11aa5c8

SHA256
e8bf296976a130329883f5f65a8c7af7c0b853a7be8792ba1c8c8dd87c173b30

SHA512
1f0ea6407fee4a1844e617eedb319b098d4ada554db9b6c7e1dd87ae6ad4a3018a22421c77b085f426fc90691d5d208bc6bf22e98291cf273c31043b21b384a7

Download Submit
C:\Users\Admin\AppData\Roaming\msrareg\NETSll32.exe

MD5
a5230082328e85db5f7bfcdabe5c7887

SHA1
ee3422e59fe2f951ce911332951449f3f11aa5c8

SHA256
e8bf296976a130329883f5f65a8c7af7c0b853a7be8792ba1c8c8dd87c173b30

SHA512
1f0ea6407fee4a1844e617eedb319b098d4ada554db9b6c7e1dd87ae6ad4a3018a22421c77b085f426fc90691d5d208bc6bf22e98291cf273c31043b21b384a7

Download Submit
C:\Windows\SysWOW64\DpiS.exe

MD5
23b72853593ab99c7b8e48fcd808d4e4

SHA1
b3384c345f9732bf33827c037af3c0bc7bc94ebb

SHA256
72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed

SHA512
eb5e6fa0b5251cfdea345aa64c77b44779fda40299822aa78333ddc8d1dfef0ba78937f3785847869fba68627f938117a04155d3b54842f16d5100ab58b7f10b

Download Submit
C:\Windows\SysWOW64\DpiS.exe

MD5
23b72853593ab99c7b8e48fcd808d4e4

SHA1
b3384c345f9732bf33827c037af3c0bc7bc94ebb

SHA256
72e78026a689d2c19d4f8b114826b848dbd7b9a3e61b2b67bdb67e251f4312ed

SHA512
eb5e6fa0b5251cfdea345aa64c77b44779fda40299822aa78333ddc8d1dfef0ba78937f3785847869fba68627f938117a04155d3b54842f16d5100ab58b7f10b

Download Submit
memory/408-114-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2200-129-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

Filesize
64KB

Download
memory/2200-131-0x00007FFA92A10000-0x00007FFA945ED000-memory.dmp

Filesize
27.9MB

Download
memory/2200-136-0x00007FFA8A8E0000-0x00007FFA8C7D5000-memory.dmp

Filesize
31.0MB

Download
memory/2200-135-0x00007FFA90090000-0x00007FFA9117E000-memory.dmp

Filesize
16.9MB

Download
memory/2200-126-0x0000000000000000-mapping.dmp

Download
memory/2200-127-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

Filesize
64KB

Download
memory/2200-128-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

Filesize
64KB

Download
memory/2200-132-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

Filesize
64KB

Download
memory/2200-130-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

Filesize
64KB

Download
memory/2636-123-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/2636-115-0x0000000000000000-mapping.dmp

Download
memory/2796-125-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/2848-118-0x0000000000000000-mapping.dmp

Download
memory/3016-124-0x0000000003310000-0x0000000003353000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads