General

  • Target

    b7536b6f3a45adexeexeexeex.exe

  • Size

    8.9MB

  • Sample

    230709-t9ztrsfd5x

  • MD5

    b7536b6f3a45adfe82b280cc6d10cf4f

  • SHA1

    48dbbe2c2f27e0d659f78ea690e7a20b09aa5dd5

  • SHA256

    fe3e2b265f781993a0b6a27d017b7b7c855330787e380f678e600fb34937716a

  • SHA512

    957992add0608ebcd04a029684b9c654e5654bbe06ec5803a9b87d1fdd66b0a1ba2983793eb8f7a8e54e4a7a65435b953e8867bbb9d1037feca9381ce618e076

  • SSDEEP

    196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Malware Config

Targets

    • Target

      b7536b6f3a45adexeexeexeex.exe

    • Size

      8.9MB

    • MD5

      b7536b6f3a45adfe82b280cc6d10cf4f

    • SHA1

      48dbbe2c2f27e0d659f78ea690e7a20b09aa5dd5

    • SHA256

      fe3e2b265f781993a0b6a27d017b7b7c855330787e380f678e600fb34937716a

    • SHA512

      957992add0608ebcd04a029684b9c654e5654bbe06ec5803a9b87d1fdd66b0a1ba2983793eb8f7a8e54e4a7a65435b953e8867bbb9d1037feca9381ce618e076

    • SSDEEP

      196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Contacts a large (42928) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • XMRig Miner payload

    • mimikatz is an open source tool to dump credentials on Windows

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks