General
-
Target
xtllixwk.exe
-
Size
12.6MB
-
Sample
210215-2d1yeny4be
-
MD5
a65502084b6d09ee1219201d47f46c20
-
SHA1
6855bfa842237d60e76691ce5f59865a045e7e08
-
SHA256
8e9077111645da006312e59519b5080e63a9ab0ef7cf686894bfa72279970a33
-
SHA512
4a5c53deea9a78aec63de61512aa1cdf101ab8d68dcb0c478d8106e8c6fbfd1c20eb80b0c326a4544a747cf120770198d3f9ba0c6f99fd81534d689c778cc34e
Static task
static1
Behavioral task
behavioral1
Sample
xtllixwk.exe
Resource
win7v20201028
Malware Config
Targets
-
-
Target
xtllixwk.exe
-
Size
12.6MB
-
MD5
a65502084b6d09ee1219201d47f46c20
-
SHA1
6855bfa842237d60e76691ce5f59865a045e7e08
-
SHA256
8e9077111645da006312e59519b5080e63a9ab0ef7cf686894bfa72279970a33
-
SHA512
4a5c53deea9a78aec63de61512aa1cdf101ab8d68dcb0c478d8106e8c6fbfd1c20eb80b0c326a4544a747cf120770198d3f9ba0c6f99fd81534d689c778cc34e
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-