Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.bin.sample.gz

  • Size

    1.3MB

  • Sample

    210528-bhh2hjbr4x

  • MD5

    279899976c66b5efb027865b88d49d0a

  • SHA1

    a9883413dcca7706196d5645ee0cd8f8fb5434b7

  • SHA256

    28f4f0232383f01a81415e1d5c11d93254759260511f15924e3744be2063dafa

  • SHA512

    9f4a1e83a5731e1063f2d59affc011a26ae908859e2794781cd0947fb63cafb64b7310cc42f97ce742363e529d168ca24908e504a6429666ab4d29be570fafcf

Score
10/10
xmrigevasionminerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Decrypt-me.txt

Ransom Note
All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ folder and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key) 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email:poker021@mailfence.com in Case of no Answer:poker021@tutanota.com
Emails

Email:poker021@mailfence.com

Answer:poker021@tutanota.com

Targets

    • Target

      sample

    • Size

      1.3MB

    • MD5

      0e64acab6fb3d50aaebc17e6dfb2d289

    • SHA1

      c5c672a4a8ebae04cf7471c56136dce58ccd88f0

    • SHA256

      cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f

    • SHA512

      e797d31d7355d1f222a444fa934599582ffd9593185668382b9ad05ade1086d152f342305fb1b734a4cc0f691b2b4ba70fd8f183f77aa3f6f775a470fb4e7013

    Score
    10/10
    xmrigevasionminerransomwarespywarestealer

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks