Resubmissions

23/05/2024, 13:08

240523-qc7asscb84 10

22/05/2024, 05:36

240522-ga2svsdf28 10

General

  • Target

    aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b.zip

  • Size

    45KB

  • Sample

    240523-qc7asscb84

  • MD5

    aaf7e26177e34ba376e5173e7127c420

  • SHA1

    8e9482123148b029125a3360026a082c8b5e4787

  • SHA256

    528bdf3b7ad770df7a1c440c370ee25f1d91eaf26bf894c34ce5cb5983c62988

  • SHA512

    7d1c26779b21a9fd228ecc804d6304aaf5c2dd87a0eca3999ad57b339084c6833e25c9cf476bc44355e9372e3c922fb27f0262120df9afd08eb3624979c7e2d0

  • SSDEEP

    768:Y+oR/9sZKeuzx8ExbIzK1venIVpO4rXvmhbAZQtsrJuybraDxVDZ4Y7:vXI18Exbt1jrfmhAluybrCxV14w

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/get.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://downloadAddress/clearn.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/get.png?random=20240523131145

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/kill.png?random=20240523131159

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/get.png?random=20240523131334

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/kill.png?random=20240523131338

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/get.png?random=1716470050

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/kill.png?random=20240523131413

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/get.png?random=1716471851

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://111.90.158.40/kill.png?random=20240523134415

Targets

    • Target

      aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b

    • Size

      83KB

    • MD5

      bf05392d1205ce66a45a1104fb67adf8

    • SHA1

      9a77e7e641f1336b4b6fbe0dadb54ea4356212f1

    • SHA256

      aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b

    • SHA512

      369b875cf5ae0bc49d6054e21e2b5af5a5efffc2b19693f9f3088b5ace8dc91814c989dd055425bdc8bddfc87cd1a4eaddbd1532c3235bf47ad90e615d6e71cf

    • SSDEEP

      1536:PD1JuLb6B5e5Oa+LWanmQaqLDO/zZkLJLa93zg0QhsW5cde4PvXoRu:aqnYOaOmKLDO/zZKJuzg7MemvXgu

    • Modifies Windows Defender Real-time Protection settings

    • XMRig Miner payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Clears Windows event logs

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks