General
-
Target
RE-TPM-PACK (1).exe
-
Size
9.4MB
-
Sample
240601-ckdrkaeb5z
-
MD5
c847e5c6ce07384bdfe6a3006a324297
-
SHA1
30554f5395b32109c756e190bb89d067c83d1d94
-
SHA256
ea50a75692ff8972ed7a970ac4eca23ae14b08ee31e630e95eb21ddb0dd83ed4
-
SHA512
32788a387739af2a343e54f7da0aac9a3aaee02329e26fa7e459354ea0dd748614f83401ba12050c64123052f684d502499fbdcf3798e32fed986c511f354e89
-
SSDEEP
196608:7reQ0cDe9f6078UYb16tS6xXAFzLjv+bhqNVoBKUh8mz4Iv9Plu1D7AU:Yie9f6Q+h6M69AVL+9qz8/b4IzuRAU
Malware Config
Targets
-
-
Target
RE-TPM-PACK (1).exe
-
Size
9.4MB
-
MD5
c847e5c6ce07384bdfe6a3006a324297
-
SHA1
30554f5395b32109c756e190bb89d067c83d1d94
-
SHA256
ea50a75692ff8972ed7a970ac4eca23ae14b08ee31e630e95eb21ddb0dd83ed4
-
SHA512
32788a387739af2a343e54f7da0aac9a3aaee02329e26fa7e459354ea0dd748614f83401ba12050c64123052f684d502499fbdcf3798e32fed986c511f354e89
-
SSDEEP
196608:7reQ0cDe9f6078UYb16tS6xXAFzLjv+bhqNVoBKUh8mz4Iv9Plu1D7AU:Yie9f6Q+h6M69AVL+9qz8/b4IzuRAU
-
XMRig Miner payload
-
Creates new service(s)
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2