General
-
Target
tmp
-
Size
3.2MB
-
Sample
230115-mmqt1sde99
-
MD5
031b4e1936f8758b15a7a26045162e3a
-
SHA1
5de003a965dde33ca504abc1d4f524e5a285b328
-
SHA256
4718af9354fd4c3f45bcd3ac66cf3e66f90004a9703dfc757690cbd669773aad
-
SHA512
2b99a219704c7bfcc21e0831c691d482230daa0781705ae1b2fa7c7410a3bb63797f69d0efe64c6edd55de2e5f7c876c72fc3ca76ad369db11b59498c1fbb394
-
SSDEEP
98304:5C7tc/q94MEjFFbK2gD4iyA9GZ5aICRdbw+a:pDMKbAExeIWbha
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Malware Config
Targets
-
-
Target
tmp
-
Size
3.2MB
-
MD5
031b4e1936f8758b15a7a26045162e3a
-
SHA1
5de003a965dde33ca504abc1d4f524e5a285b328
-
SHA256
4718af9354fd4c3f45bcd3ac66cf3e66f90004a9703dfc757690cbd669773aad
-
SHA512
2b99a219704c7bfcc21e0831c691d482230daa0781705ae1b2fa7c7410a3bb63797f69d0efe64c6edd55de2e5f7c876c72fc3ca76ad369db11b59498c1fbb394
-
SSDEEP
98304:5C7tc/q94MEjFFbK2gD4iyA9GZ5aICRdbw+a:pDMKbAExeIWbha
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-