General
-
Target
Violence YCT.dll
-
Size
5.1MB
-
Sample
240522-g3qlaseg54
-
MD5
8b1e0498ed857f3392941722c3df3c6f
-
SHA1
d1fd52788ac8bfb82fb80e5bbcda53e33c0fc588
-
SHA256
9778a04e08c95ed1be44672ab1663805c7f71e53e913a93ff8d4af98a6a6eb50
-
SHA512
d4c4af17e4ad13ebe77b50663e7996601da1d8dc5de62d66c6a622f380255d06561c8f097d0f92e59c4f3db51ea7305a8885633bbc082f1bc4ba55b04e37d093
-
SSDEEP
98304:0CDhTPYpCmiUcTJYzzQu3Bb+XUBiGfxAOlwgTfpSGQkK0B2mdSvFw:0ATP0if9kE0MUvaswApSa5Ymdd
Malware Config
Targets
-
-
Target
Violence YCT.dll
-
Size
5.1MB
-
MD5
8b1e0498ed857f3392941722c3df3c6f
-
SHA1
d1fd52788ac8bfb82fb80e5bbcda53e33c0fc588
-
SHA256
9778a04e08c95ed1be44672ab1663805c7f71e53e913a93ff8d4af98a6a6eb50
-
SHA512
d4c4af17e4ad13ebe77b50663e7996601da1d8dc5de62d66c6a622f380255d06561c8f097d0f92e59c4f3db51ea7305a8885633bbc082f1bc4ba55b04e37d093
-
SSDEEP
98304:0CDhTPYpCmiUcTJYzzQu3Bb+XUBiGfxAOlwgTfpSGQkK0B2mdSvFw:0ATP0if9kE0MUvaswApSa5Ymdd
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-