Overview

overview

10

Static

static

1

c3pool7.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c3pool7.bat

  • Size

    4KB

  • Sample

    230806-21gktsdg9y

  • MD5

    13e899d46060ac8afdf5f6cf24bee4cd

  • SHA1

    28750ce262bd03b0b64c088b2c6c5f9f36318f69

  • SHA256

    7ade6efc0209cfdf8ed8bfa290fefec1d377ebb999aed6fcdb2eab91cc61105f

  • SHA512

    8ee8f1df3f83eb456637d33f2bac494e1076320c839b1c52bcd12edd7096560b4ae218aed3403e9d71566da395574103ccd24127321d4b1450050ec53caaedba

  • SSDEEP

    96:djt+DMVGW8Zc44KVFZo2ZIr0yJ4im+Q39IvMV6kI:d2EPCc44aX2gO4iu3iO6kI

Score
10/10
xmrigevasionminer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe

Targets

    • Target

      c3pool7.bat

    • Size

      4KB

    • MD5

      13e899d46060ac8afdf5f6cf24bee4cd

    • SHA1

      28750ce262bd03b0b64c088b2c6c5f9f36318f69

    • SHA256

      7ade6efc0209cfdf8ed8bfa290fefec1d377ebb999aed6fcdb2eab91cc61105f

    • SHA512

      8ee8f1df3f83eb456637d33f2bac494e1076320c839b1c52bcd12edd7096560b4ae218aed3403e9d71566da395574103ccd24127321d4b1450050ec53caaedba

    • SSDEEP

      96:djt+DMVGW8Zc44KVFZo2ZIr0yJ4im+Q39IvMV6kI:d2EPCc44aX2gO4iu3iO6kI

    Score
    10/10
    xmrigevasionminer

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks