General

  • Target

    c022607a31917eexeexeexeex.exe

  • Size

    8.9MB

  • Sample

    230709-ylj6magf2z

  • MD5

    c022607a31917e783469db076a7ee535

  • SHA1

    930bbc20635ffad8f8d08c45fcd93c94accb2a3b

  • SHA256

    824c060aded406cb9827c1d7cf1133d20848452cddb96fb074440e88b7f915d4

  • SHA512

    8f9a353dd1c11bcaf1e615113e16cece121c636e384e98f3ccf31a9e2e1f15759541186019f549bb9b277f164073891211517c7f4531f79768334268eeb91816

  • SSDEEP

    196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Malware Config

Targets

    • Target

      c022607a31917eexeexeexeex.exe

    • Size

      8.9MB

    • MD5

      c022607a31917e783469db076a7ee535

    • SHA1

      930bbc20635ffad8f8d08c45fcd93c94accb2a3b

    • SHA256

      824c060aded406cb9827c1d7cf1133d20848452cddb96fb074440e88b7f915d4

    • SHA512

      8f9a353dd1c11bcaf1e615113e16cece121c636e384e98f3ccf31a9e2e1f15759541186019f549bb9b277f164073891211517c7f4531f79768334268eeb91816

    • SSDEEP

      196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Contacts a large (52990) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • XMRig Miner payload

    • mimikatz is an open source tool to dump credentials on Windows

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks