xmrig | f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd

General

Target

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
Size

354KB
MD5

83442bfd37caf80bddd456fcdc21348c
SHA1

d9545548080bbd21772fb1498fc14f6ef05f2394
SHA256

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd
SHA512

16a136a80599751e3aa6c96aa58bec9b84fdddd21b3e98aeb9ac0f35678c496f990683d89ec350306d9ef9cd8d8e3164100dbdafaf699fe814698e6b864c5b81

Score

10^/10

xmrig macro miner persistence xlm

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

bthuName.exebitsider.exe~2C65.tmp

pid process

3508 bthuName.exe
3932 bitsider.exe
3916 ~2C65.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~2CA3.tmp.doc	office_xlm_macros

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunLnced = "C:\\Users\\Admin\\AppData\\Roaming\\cttuutou\\bthuName.exe"	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe

Drops file in System32 directory 1 IoCs

Processes:

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe

description ioc process

File created C:\Windows\SysWOW64\bitsider.exe f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\bitsider.exe	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

Processes:

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4088 WINWORD.EXE
4088 WINWORD.EXE

pid	process
4088	WINWORD.EXE
4088	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bthuName.exeExplorer.EXEbitsider.exe

pid	process
3508	bthuName.exe
3508	bthuName.exe
2116	Explorer.EXE
3932	bitsider.exe
2116	Explorer.EXE
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE
3932	bitsider.exe
3932	bitsider.exe
2116	Explorer.EXE
2116	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2116 Explorer.EXE

pid	process
2116	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE
Token: SeShutdownPrivilege	2116	Explorer.EXE
Token: SeCreatePagefilePrivilege	2116	Explorer.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

4088 WINWORD.EXE
4088 WINWORD.EXE
4088 WINWORD.EXE
4088 WINWORD.EXE
4088 WINWORD.EXE
4088 WINWORD.EXE
4088 WINWORD.EXE
4088 WINWORD.EXE
4088 WINWORD.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2116 Explorer.EXE

pid	process
4088	WINWORD.EXE
4088	WINWORD.EXE
4088	WINWORD.EXE
4088	WINWORD.EXE
4088	WINWORD.EXE
4088	WINWORD.EXE
4088	WINWORD.EXE
4088	WINWORD.EXE
4088	WINWORD.EXE

pid	process
2116	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exebthuName.exe~2C65.tmp

description	pid	process	target process
PID 3724 wrote to memory of 3508	3724	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	bthuName.exe
PID 3724 wrote to memory of 3508	3724	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	bthuName.exe
PID 3724 wrote to memory of 3508	3724	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	bthuName.exe
PID 3508 wrote to memory of 3916	3508	bthuName.exe	~2C65.tmp
PID 3508 wrote to memory of 3916	3508	bthuName.exe	~2C65.tmp
PID 3916 wrote to memory of 2116	3916	~2C65.tmp	Explorer.EXE
PID 3724 wrote to memory of 4088	3724	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	WINWORD.EXE
PID 3724 wrote to memory of 4088	3724	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	WINWORD.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2116

C:\Users\Admin\AppData\Local\Temp\f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
"C:\Users\Admin\AppData\Local\Temp\f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Roaming\cttuutou\bthuName.exe
"C:\Users\Admin\AppData\Roaming\cttuutou\bthuName.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\~2C65.tmp
"C:\Users\Admin\AppData\Local\Temp\~2C65.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~2CA3.tmp.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Windows\SysWOW64\bitsider.exe
C:\Windows\SysWOW64\bitsider.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~2C65.tmp

MD5
579c3b4d90e171fa88017fba2c997388

SHA1
190e15f6085d8bb0c81a8530af64ddf75fcb5df5

SHA256
df98723b4e92d460eafdae111118197348e513974e7d9300ca36ee3f981afb04

SHA512
6d8c1e0c9a51c71c4f6a1f451b83db584dc776e18f3010b481d7afdaac155c234043ebde6d8bbc3653eaf10d0a42aa444e764c3272cc46d987a7e84d3565e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2C65.tmp

MD5
579c3b4d90e171fa88017fba2c997388

SHA1
190e15f6085d8bb0c81a8530af64ddf75fcb5df5

SHA256
df98723b4e92d460eafdae111118197348e513974e7d9300ca36ee3f981afb04

SHA512
6d8c1e0c9a51c71c4f6a1f451b83db584dc776e18f3010b481d7afdaac155c234043ebde6d8bbc3653eaf10d0a42aa444e764c3272cc46d987a7e84d3565e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2CA3.tmp.doc

MD5
d790423a93aa5c0ad659924d004d5dda

SHA1
8278cf6e8a997ff14a1a3958825c168941ea6422

SHA256
4d3f3c44b21f1b42312bf7c1dcf5fc90c71b0b399aec011451123b5c99b5fab1

SHA512
9a564c87f6c430e8f2180021920372593ce25eb7cf894fbce3e48ddcc2b49244eab2e30d871174b80d83fe0f8d949a49745c92db7d6362f0d2138dbe7ec503aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5
69867cd3aa546ca73bfc4f6e54cfd689

SHA1
1d6c487b75f14ee0f25136c9bd6505174e648750

SHA256
0f50fbe0540173e2aee070d5d54c8eb7b4737734204ba41065a937302eeea7fb

SHA512
66c8b9244d6f4ebfaf4a6d8a09b4a82060dd6d0eb5b7b8235028420796670ca86716117fb261dc76d3c66d9c77bf7b2f0f9904e7fb2035d4a08a5f15b0a7fca0

Download Submit
C:\Users\Admin\AppData\Roaming\cttuutou\bthuName.exe

MD5
c4ddce2875d5fa67b5fc2efbbd76865b

SHA1
5aa146ba0c41f5c19798a57eb8d2368fba1b647d

SHA256
14d331812351cf30d6762eddb3c87766a90c854e655f7d1190f7cd8267bc6f82

SHA512
d94fdf16a6a67a809360926ab81d472fb1fd9387acfe866fc0dc192988ece32321c2926f8ebc5b721905a517280f350b6a2e2958955343193c3a862e3ddffb8b

Download Submit
C:\Users\Admin\AppData\Roaming\cttuutou\bthuName.exe

MD5
c4ddce2875d5fa67b5fc2efbbd76865b

SHA1
5aa146ba0c41f5c19798a57eb8d2368fba1b647d

SHA256
14d331812351cf30d6762eddb3c87766a90c854e655f7d1190f7cd8267bc6f82

SHA512
d94fdf16a6a67a809360926ab81d472fb1fd9387acfe866fc0dc192988ece32321c2926f8ebc5b721905a517280f350b6a2e2958955343193c3a862e3ddffb8b

Download Submit
C:\Windows\SysWOW64\bitsider.exe

MD5
83442bfd37caf80bddd456fcdc21348c

SHA1
d9545548080bbd21772fb1498fc14f6ef05f2394

SHA256
f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd

SHA512
16a136a80599751e3aa6c96aa58bec9b84fdddd21b3e98aeb9ac0f35678c496f990683d89ec350306d9ef9cd8d8e3164100dbdafaf699fe814698e6b864c5b81

Download Submit
C:\Windows\SysWOW64\bitsider.exe

MD5
83442bfd37caf80bddd456fcdc21348c

SHA1
d9545548080bbd21772fb1498fc14f6ef05f2394

SHA256
f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd

SHA512
16a136a80599751e3aa6c96aa58bec9b84fdddd21b3e98aeb9ac0f35678c496f990683d89ec350306d9ef9cd8d8e3164100dbdafaf699fe814698e6b864c5b81

Download Submit
memory/2116-127-0x0000000001130000-0x0000000001173000-memory.dmp

Filesize
268KB

Download
memory/3508-125-0x0000000000E10000-0x0000000000F5A000-memory.dmp

Filesize
1.3MB

Download
memory/3508-116-0x0000000000000000-mapping.dmp

Download
memory/3724-115-0x0000000000B40000-0x0000000000C8A000-memory.dmp

Filesize
1.3MB

Download
memory/3916-120-0x0000000000000000-mapping.dmp

Download
memory/3932-126-0x0000000000B50000-0x0000000000BBC000-memory.dmp

Filesize
432KB

Download
memory/4088-131-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/4088-130-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/4088-129-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/4088-133-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/4088-132-0x00007FFA45010000-0x00007FFA47B33000-memory.dmp

Filesize
43.1MB

Download
memory/4088-136-0x00007FFA40BD0000-0x00007FFA41CBE000-memory.dmp

Filesize
16.9MB

Download
memory/4088-137-0x00007FFA3D900000-0x00007FFA3F7F5000-memory.dmp

Filesize
31.0MB

Download
memory/4088-128-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/4088-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads