General

  • Target

    virus exposed.zip

  • Size

    46.5MB

  • Sample

    240530-ww3plsha66

  • MD5

    d411e55150384a2f7469d7b76a87e35e

  • SHA1

    2e2b7333b4ef34e831c835a2e6971447b1b49a08

  • SHA256

    26a181e5b6ea5beabd5b58c241e9181bfbe4bd791181c8dbf0311f3512293850

  • SHA512

    35a286c8f51010985907b7ebc10902fc7182f449355a8fa7fc679b63bb33df7717616c966dfb7e7e54da17898abfda10107dd72fe231b52c22c4fa5b9a6c14e6

  • SSDEEP

    786432:B61QqYq5RNDWpMs7eiTz2hj5Vzk3ALepy7EJLvkfo2KNz/X1tSMFhui2dHVlINN/:o1gANDW6s7e3j5VzlhEJLviuCM52HCr1

Malware Config

Targets

    • Target

      miner (2).TMP/Client.exe

    • Size

      157KB

    • MD5

      2560eaeea2f78be73934dff77dc21115

    • SHA1

      47da9e0270fdd3c762dcb371614eaf4ff67add03

    • SHA256

      c5bbe1f75d15903b38f0c1e944b8205dcbbb8033206b22921ad90bc64b0699e6

    • SHA512

      5ac9af16716e2e9ffa1cec0f74f273468789caf157ddfe7cbf20e6efdf03ad5f0c86d46bf8944c15a79c8d890ec4f683a9c4758c44c3ce5a5f0d3915f9fe977c

    • SSDEEP

      3072:CISoucNzBhW8cKaf7uWQOPodew6FPudZjbahd1P+Aw+RMqgZ:YK5cKsK/jdew6xulbaP+ug

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      miner (2).TMP/num2.EXE

    • Size

      4.3MB

    • MD5

      e6fe75c4390d3970545f0fdbb3274244

    • SHA1

      8b6ed33f1778800cf0549bd7214249bdb81fbb58

    • SHA256

      48aaa21d99bf5fb15abc6945911438e5f3ac4c378ac89bc4eb850200f9f648d5

    • SHA512

      17b0911f13a1348e6511faf412f63721e7df7b196ae3a6acb86789eb04a2f8a90a42a6931a0c0ad45ee98910c4661c6db7e43623c560a963cd4d021ce9b1ad20

    • SSDEEP

      98304:964joDvotqdFGNQPhzexAgEC3ziTnaK9vHQR1kUe3HB1ih:9RvtwFmQZ6xXECDAnaSswBM

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      miner.TMP/MicrosoftEdgeUpdater.exe

    • Size

      2.7MB

    • MD5

      19c095e1c399bdaa0663caa9162f0b0e

    • SHA1

      cb5504712ec965f7c43883f2f251823755b1e37e

    • SHA256

      38edfd7aa66f3ae1f376b9cdce558befd877d749e38306f412e8db436cb56713

    • SHA512

      a2a8e9e5140d7b306ba98d3674aa89b3e287cdf39bcf4b326148d963c38052fc65e99a17c0bf846150d71ff3efbd2c9d4b61b4c2d5847f8c9afa222af4c946d9

    • SSDEEP

      49152:9fYIxVYU98IqK6VW6tE1ZWD4Zs52YeycKk4BVhGJneLriO:VYIxVZ98I71/ZsQIcKDoYr

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      miner.TMP/jhi_service.exe

    • Size

      2.5MB

    • MD5

      1994ad04639f3d12c7bbfa37feb3434f

    • SHA1

      4979247e5a9771286a91827851527e5dbfb80c8e

    • SHA256

      c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c

    • SHA512

      adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43

    • SSDEEP

      49152:JeyI4v7SO1chT1kPoGyH22x8wfc3QC/FGQAC8TnWhVpihDHdggjrKCnQPzkwG:JtjehT1kA4wXGMRyk7Kg/nnY

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Stops running service(s)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks