General
-
Target
C8F7.exe
-
Size
123KB
-
Sample
210213-2c4qm4qg3e
-
MD5
cafce84f76fb35a8dcb2e1643db09707
-
SHA1
db2a432a783fb4ed1e12ccd5a85f894eab8c38ff
-
SHA256
94304428071b5b27927d6c5f88ca8a0da48e5361c12b1e258f6aafa0368179fc
-
SHA512
ac40678374c8e9f02c0ded586f4b28749f12623d59f48c93c40b555fb650958359ec6b6931ccb2257214d982d8324ad7a1ef180e3d62b6bfef85620a31ba607b
Static task
static1
Behavioral task
behavioral1
Sample
C8F7.exe
Resource
win7v20201028
Malware Config
Targets
-
-
Target
C8F7.exe
-
Size
123KB
-
MD5
cafce84f76fb35a8dcb2e1643db09707
-
SHA1
db2a432a783fb4ed1e12ccd5a85f894eab8c38ff
-
SHA256
94304428071b5b27927d6c5f88ca8a0da48e5361c12b1e258f6aafa0368179fc
-
SHA512
ac40678374c8e9f02c0ded586f4b28749f12623d59f48c93c40b555fb650958359ec6b6931ccb2257214d982d8324ad7a1ef180e3d62b6bfef85620a31ba607b
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-