General

  • Target

    tmp

  • Size

    9.5MB

  • Sample

    220505-pj24zsfhc4

  • MD5

    5ecc9b72f28bf953037487bf07b53e4d

  • SHA1

    5ccf6899fdf2b3c8d1711407ab0e996b046f4e28

  • SHA256

    f9985ed5d6b8bde2c68ef180ce7f047f1abd9e9b111a3329bf97db2fbc008ffd

  • SHA512

    5f8b8a17cbbe50c54331de323c2ee94157dff79996280a71ca37d7da0346a219d6b7fda717d72a4230e00a2176e157e27503e48d4e796502f223b3befb9bc875

Malware Config

Targets

    • Target

      tmp

    • Size

      9.5MB

    • MD5

      5ecc9b72f28bf953037487bf07b53e4d

    • SHA1

      5ccf6899fdf2b3c8d1711407ab0e996b046f4e28

    • SHA256

      f9985ed5d6b8bde2c68ef180ce7f047f1abd9e9b111a3329bf97db2fbc008ffd

    • SHA512

      5f8b8a17cbbe50c54331de323c2ee94157dff79996280a71ca37d7da0346a219d6b7fda717d72a4230e00a2176e157e27503e48d4e796502f223b3befb9bc875

    • Modifies security service

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Executes dropped EXE

    • Possible privilege escalation attempt

    • Stops running service(s)

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Impact

Service Stop

1
T1489

Tasks