Overview

overview

10

Static

static

1

a12bc9557a...a8.exe

windows7-x64

10

a12bc9557a...a8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a12bc9557ad889a49e7b4f970c78dda8.bin

  • Size

    2.1MB

  • Sample

    230331-cabt8agc45

  • MD5

    a12bc9557ad889a49e7b4f970c78dda8

  • SHA1

    5383b8e6d09d41384281b95f9ccc8e050e7c04fa

  • SHA256

    9940b1f8deb931e431dded69a71e6c9ac4c9e7d4fa560932f92cf0ae94cc65e0

  • SHA512

    be8ca69b115aea7382ad4a780a0452a0df986bb036aec0aea3cac9f4b0d598c4256f0732720a5ee83fc05cd7dac7adf545792f91f2b60a05027a1811f12000ee

  • SSDEEP

    24576:MHOygNfXDgkB9Y+AVIGckFdi3MUxbw+0AX4xVILyqe7keglf9BHHpRNt05sJNuI6:MuhBSda2+0+4xKLyqewBnfNwsJNO

Score
10/10
xmrigevasionminerupx

Malware Config

Targets

    • Target

      a12bc9557ad889a49e7b4f970c78dda8.bin

    • Size

      2.1MB

    • MD5

      a12bc9557ad889a49e7b4f970c78dda8

    • SHA1

      5383b8e6d09d41384281b95f9ccc8e050e7c04fa

    • SHA256

      9940b1f8deb931e431dded69a71e6c9ac4c9e7d4fa560932f92cf0ae94cc65e0

    • SHA512

      be8ca69b115aea7382ad4a780a0452a0df986bb036aec0aea3cac9f4b0d598c4256f0732720a5ee83fc05cd7dac7adf545792f91f2b60a05027a1811f12000ee

    • SSDEEP

      24576:MHOygNfXDgkB9Y+AVIGckFdi3MUxbw+0AX4xVILyqe7keglf9BHHpRNt05sJNuI6:MuhBSda2+0+4xKLyqewBnfNwsJNO

    Score
    10/10
    xmrigevasionminerupx

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks