Resubmissions

08-01-2021 15:21

210108-kdkln37l9x 10

08-01-2021 08:51

210108-fpetcw5rxj 1

General

  • Target

    defenderModule.exe

  • Size

    47.9MB

  • Sample

    210108-kdkln37l9x

  • MD5

    8e8bae165f8891a4b74b38fc79f6f159

  • SHA1

    ecc64521a67db9d51625c5e2795536e2d182327e

  • SHA256

    a7c4d788dbcdbb75154a25b57bb71cd1186d412fd776986fac561b74af224efd

  • SHA512

    b5863051f8208b63418b48737a1de0c488594ca6cf6ab4410fa568995d9c8130e388989995b2dde243439aa8f28ddddabbc950ff360a3c33eed51d9ca7b76db0

Malware Config

Targets

    • Target

      defenderModule.exe

    • Size

      47.9MB

    • MD5

      8e8bae165f8891a4b74b38fc79f6f159

    • SHA1

      ecc64521a67db9d51625c5e2795536e2d182327e

    • SHA256

      a7c4d788dbcdbb75154a25b57bb71cd1186d412fd776986fac561b74af224efd

    • SHA512

      b5863051f8208b63418b48737a1de0c488594ca6cf6ab4410fa568995d9c8130e388989995b2dde243439aa8f28ddddabbc950ff360a3c33eed51d9ca7b76db0

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies Windows Defender Real-time Protection settings

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Disabling Security Tools

1
T1089

Scripting

1
T1064

Command and Control

Web Service

1
T1102

Tasks