xmrig | 13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73

General

Target

13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe
Size

506KB
MD5

b153ea5996f9a64f1c1da4bb7298680e
SHA1

cec8c0b3853836265a11d2cdb1cda41c4a0ac79c
SHA256

13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73
SHA512

1420231956da8ca362569f2fbcdc86d3e03741701b9a38a100392d427f3d4bf37a1077e32b252651feaa9dbf7b82c351431986527f7ca49560e36f5fac0d593b

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\syrmwiuivxxcemrs\LTM Agent.exe	xmrig

Executes dropped EXE 3 IoCs

Processes:

83208120.exentutrf.exeLTM Agent.exe

pid process

3468 83208120.exe
220 ntutrf.exe
3044 LTM Agent.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exentutrf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ntutrf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

83208120.exentutrf.exe

pid	process
3468	83208120.exe
3468	83208120.exe
3468	83208120.exe
3468	83208120.exe
3468	83208120.exe
3468	83208120.exe
3468	83208120.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe
220	ntutrf.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
648

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

83208120.exentutrf.exeLTM Agent.exe

description	pid	process
Token: SeDebugPrivilege	3468	83208120.exe
Token: SeDebugPrivilege	220	ntutrf.exe
Token: SeLockMemoryPrivilege	3044	LTM Agent.exe
Token: SeLockMemoryPrivilege	3044	LTM Agent.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exentutrf.exe

description	pid	process	target process
PID 1180 wrote to memory of 3468	1180	13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe	83208120.exe
PID 1180 wrote to memory of 3468	1180	13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe	83208120.exe
PID 220 wrote to memory of 3044	220	ntutrf.exe	LTM Agent.exe
PID 220 wrote to memory of 3044	220	ntutrf.exe	LTM Agent.exe

C:\Users\Admin\AppData\Local\Temp\13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe
"C:\Users\Admin\AppData\Local\Temp\13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\240630062\83208120.exe
"C:\Users\Admin\AppData\Local\Temp\240630062\83208120.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\syrmwiuivxxcemrs\LTM Agent.exe
"C:\Users\Admin\AppData\Local\Temp\syrmwiuivxxcemrs\LTM Agent.exe" --donate-level 1 -o xmr-eu1.nanopool.org:14433 -u 8AahDWVyjfUVpZMHPDz28ggYvNY11zoFTKrrM5F1LPfB1AjHoPVdR4L6PXF6iawSfwgfD7xbAwqgeCLeNTQKkCeWLhDqhp6 -k --tls --coin monero --threads=1
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240630062\83208120.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\240630062\83208120.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\syrmwiuivxxcemrs\LTM Agent.exe
Filesize
6.5MB

MD5
df17112395adb8d45a4c623c06ee76d1

SHA1
7ce7def2a89b4b9f6a00660d3cd0aee958b1e8f9

SHA256
87ca7cd083a35bc3c82d4403539706dff98a880c926115a1c09871a86f1ab5a1

SHA512
fa89bff5d774183f87e8ab5d6c247a848c1e2101a32040920c43ca6cb9b1ec2cd88b1da699f1130528b6358c3e745732a8e8aaa70d0d4f6fc3af54aa56927620

Download Submit
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
memory/220-139-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

Filesize
10.8MB

Download
memory/1180-130-0x0000000000B90000-0x0000000000C18000-memory.dmp

Filesize
544KB

Download
memory/1180-131-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

Filesize
10.8MB

Download
memory/3044-140-0x0000000000000000-mapping.dmp

Download
memory/3044-142-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/3044-143-0x00000000010D0000-0x00000000010F0000-memory.dmp

Filesize
128KB

Download
memory/3044-144-0x0000000001600000-0x0000000001620000-memory.dmp

Filesize
128KB

Download
memory/3468-136-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

Filesize
10.8MB

Download
memory/3468-135-0x00000000001A0000-0x000000000028A000-memory.dmp

Filesize
936KB

Download
memory/3468-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads