General

  • Target

    a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301

  • Size

    7.6MB

  • Sample

    220516-a7sg5ahac7

  • MD5

    95104aa61ed30687c13e5c644d5722f3

  • SHA1

    f9788f808044d448f73203d93da0021cefb781ff

  • SHA256

    a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301

  • SHA512

    99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce

Malware Config

Targets

    • Target

      a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301

    • Size

      7.6MB

    • MD5

      95104aa61ed30687c13e5c644d5722f3

    • SHA1

      f9788f808044d448f73203d93da0021cefb781ff

    • SHA256

      a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301

    • SHA512

      99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce

    • Modifies security service

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Executes dropped EXE

    • Possible privilege escalation attempt

    • Stops running service(s)

    • Modifies file permissions

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Impact

Service Stop

1
T1489

Tasks