General

  • Target

    Desktop.zip

  • Size

    8.2MB

  • Sample

    240629-y9p2savhje

  • MD5

    f5c5f4572e0dc9f3c210a636885c1e4b

  • SHA1

    df7731584614d2414d9b14c5d0f2d5223e3e742f

  • SHA256

    f1f7dbd211cac3e16a911ad71a790c42d20a2f62711ff8a0918d8bd576cf41e4

  • SHA512

    446cd5c863a71a2c8d8558c9a162b99012805b636fc3f3cc555c6836c7bb6bebdced148c6de3a77d9c277f900819ce2e6cea39672ef120f0a24a1e40cae3d086

  • SSDEEP

    196608:NsjHWLtfvGzd6MZfeY5lqctrz8J+8uesYDYaASn1myj:Nsj2JOzt5k8z8J+8PTASB

Malware Config

Targets

    • Target

      SuperNova.exe

    • Size

      319KB

    • MD5

      139874ded78aa99b323dba8eac9c9956

    • SHA1

      b5baf7067dcb33b9679ec0188e27e93c3fd70369

    • SHA256

      569f306077e35e7fbc449095ce624000939b8f27e68f6bcef908173675118ac9

    • SHA512

      bc2bf447e8f06f8dbd3f55a1954ad6137abae2d3c57e471dc1d701ef3ae0dd2263a271af99c09b609b2eeb2c24548650182e1bc18ef75e78a0bf2b559006bc6b

    • SSDEEP

      6144:Z4FLwAiLQyi6nn1VredEGZGa0Xv50evr1ChZ9bRPXlwAiLQT:ZILwAiG8f3GZ3Q1S9bR9wAiY

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks