General

  • Target

    Krnl.rar

  • Size

    4.0MB

  • Sample

    240614-s6q7sa1aqr

  • MD5

    694249c201b5cc32127dddb34e4b8d0d

  • SHA1

    f9e87459cf4431f4f6080400a91bd504812f167a

  • SHA256

    73b63a0da8648a81916cc2deadd07b9345ff7cf268f2a9a35c25b43fa3ba312a

  • SHA512

    5f40e40ff5e84f8c0082a0a711e8f86ec236d5c46279e303b046d8fb61e6e013a96019f0bcd092be8f9c8b6973ddf97438cd9bd19ea304774c89e18248c41d10

  • SSDEEP

    98304:fIplh+5HiooMepy5GWtOqucmYX7X1A2ca0T4+DdyzJIZ5CS9Ar7:GL+5HjnWgjjmYX5Axa0Tb4KCSSr7

Malware Config

Targets

    • Target

      Krnl.exe

    • Size

      5.3MB

    • MD5

      4570ebfb64c5e9660e0fe27877adae01

    • SHA1

      a4a9e2218828cd81ab77791154801e87b0f6a099

    • SHA256

      aa16c6dac9061821fb5f8b99138fa21a9f031c0606789e36eeb8be9d274b823d

    • SHA512

      3c65deaf97f1af90e13d9a56b0b34845171692be4aec48fda4170d8993e1af8aaed3c84e7f685ed13b973ea9bece24d96c07a961378b9aac3cb18ff0c0b19bad

    • SSDEEP

      98304:3bnKNOtQQDTL2bB5icVbv6lkI4w6I6LPhEGKu/6ZrrZVUkmnj:rnKNOWQD0B576q1w6VPhEG+ZrrZV/mj

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks