General
-
Target
D76E.exe
-
Size
315KB
-
Sample
210215-z5568gq15n
-
MD5
e0b4e6f9450122319cc01978d3639e83
-
SHA1
aba9a8fca5e86afbde8215f2ae2c51fae913c149
-
SHA256
4cf9da9215e2027a3cfc21491b44c75b469d75a74941fe8c2f3e43ce1c91d0df
-
SHA512
c8064816a580626a74cd12da0028d8b9c7640a2bebe53d2995fbe75f3b49dc7ddf1599d4f049cadae0596ed0a044ab96735db397b1deddb861b48e0ad2bc4355
Static task
static1
Behavioral task
behavioral1
Sample
D76E.exe
Resource
win7v20201028
Malware Config
Targets
-
-
Target
D76E.exe
-
Size
315KB
-
MD5
e0b4e6f9450122319cc01978d3639e83
-
SHA1
aba9a8fca5e86afbde8215f2ae2c51fae913c149
-
SHA256
4cf9da9215e2027a3cfc21491b44c75b469d75a74941fe8c2f3e43ce1c91d0df
-
SHA512
c8064816a580626a74cd12da0028d8b9c7640a2bebe53d2995fbe75f3b49dc7ddf1599d4f049cadae0596ed0a044ab96735db397b1deddb861b48e0ad2bc4355
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-