General
-
Target
oewhwalb.exe
-
Size
10.1MB
-
Sample
220123-vwfpeagbgj
-
MD5
f6ee0e7fbe7677dd9f3b053e206fbd4c
-
SHA1
5d561f69158620be0f283e919814a55c495163a5
-
SHA256
8c505862e16dd60fe08e63fd75b3460f21201f77c19d0c4793a68a7b35f5f2e5
-
SHA512
7d710ea59cf0ad5012ed2e3e83b5ca893b7925d5dcfc1bdaf1ce4091cdfeb0751e0935bd69e585d238c3791b9b01bfdd61a41cf6b8187b3b48d68905d1fad437
Static task
static1
Behavioral task
behavioral1
Sample
oewhwalb.exe
Resource
win7-en-20211208
Malware Config
Extracted
tofsee
patmushta.info
ovicrush.cn
Targets
-
-
Target
oewhwalb.exe
-
Size
10.1MB
-
MD5
f6ee0e7fbe7677dd9f3b053e206fbd4c
-
SHA1
5d561f69158620be0f283e919814a55c495163a5
-
SHA256
8c505862e16dd60fe08e63fd75b3460f21201f77c19d0c4793a68a7b35f5f2e5
-
SHA512
7d710ea59cf0ad5012ed2e3e83b5ca893b7925d5dcfc1bdaf1ce4091cdfeb0751e0935bd69e585d238c3791b9b01bfdd61a41cf6b8187b3b48d68905d1fad437
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-