General

  • Target

    SecuriteInfo.com.Win64.Evo-gen.10290.11543.exe

  • Size

    8.1MB

  • Sample

    241027-w5gthaykbt

  • MD5

    f7095d4c508bd4b9e471aec98d48bcfb

  • SHA1

    df1d5d4464597459cff6768eed0c404e8069e683

  • SHA256

    47dd988feb765659bd0674ba2dcfee8095395ac92fdff839055287145d06c4a3

  • SHA512

    654ff033e459de206c74c3856314d8b1c6cfe65d151cd73026a9f85383710bc1a0f7d5b68de523b6acbf9e6695ea126c6a190516b5e7d15d2d5238dddccae752

  • SSDEEP

    196608:DtiSLFDxA4TQ6mKC3FxVYBpX0H4KoX6YoySQ4gqplDP+tq5nR4P:DtPZTQ6mv1TKR0YC1P6+RG

Malware Config

Targets

    • Target

      SecuriteInfo.com.Win64.Evo-gen.10290.11543.exe

    • Size

      8.1MB

    • MD5

      f7095d4c508bd4b9e471aec98d48bcfb

    • SHA1

      df1d5d4464597459cff6768eed0c404e8069e683

    • SHA256

      47dd988feb765659bd0674ba2dcfee8095395ac92fdff839055287145d06c4a3

    • SHA512

      654ff033e459de206c74c3856314d8b1c6cfe65d151cd73026a9f85383710bc1a0f7d5b68de523b6acbf9e6695ea126c6a190516b5e7d15d2d5238dddccae752

    • SSDEEP

      196608:DtiSLFDxA4TQ6mKC3FxVYBpX0H4KoX6YoySQ4gqplDP+tq5nR4P:DtPZTQ6mv1TKR0YC1P6+RG

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks