General
-
Target
keevgpgi.exe
-
Size
11.6MB
-
Sample
210213-fwck4jxhbn
-
MD5
cecab87eece6151682a5dffe04831bb6
-
SHA1
e3d6a4c3d0f25f63abf5aa5c906da1b681462714
-
SHA256
27a880b8a04d59fa74e9ca0c7db57718599f1efca0c593739c12cb1fad9040dc
-
SHA512
1d39a758f9415b493fee4bc0921bfa627d2939d21386a7cd3b9b8f216d75e5025a5f3ff6414b6bfaf2a8acac817cf42a77005677e99ff10094572318a4933ebd
Static task
static1
Behavioral task
behavioral1
Sample
keevgpgi.exe
Resource
win7v20201028
Malware Config
Targets
-
-
Target
keevgpgi.exe
-
Size
11.6MB
-
MD5
cecab87eece6151682a5dffe04831bb6
-
SHA1
e3d6a4c3d0f25f63abf5aa5c906da1b681462714
-
SHA256
27a880b8a04d59fa74e9ca0c7db57718599f1efca0c593739c12cb1fad9040dc
-
SHA512
1d39a758f9415b493fee4bc0921bfa627d2939d21386a7cd3b9b8f216d75e5025a5f3ff6414b6bfaf2a8acac817cf42a77005677e99ff10094572318a4933ebd
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-