General

  • Target

    c7eaff9d735d8eef42c73be4c093f7b31cf7d0df18c98d135eb915c13409d077.exe

  • Size

    3.8MB

  • Sample

    241107-yxq4ba1jcn

  • MD5

    f6814a59c53218b84eb943ef07fcb74c

  • SHA1

    27aa1ad8dbe7040e9ba2a1499ef4ce0117728f6d

  • SHA256

    c7eaff9d735d8eef42c73be4c093f7b31cf7d0df18c98d135eb915c13409d077

  • SHA512

    41c09fdde4db7c074eeddb16a4a1716aa40e27b32cff2ce3cb0b466a357edd30d4390d6832bfe021f49638bc0bdd6697141cab6b67f7d58fd5f06efbfabc6264

  • SSDEEP

    98304:fyzs10ZzmBarm735MyHkWKA7kFCQi7MahHr5Gt40JY8:fyQfBamD5QM7Mms4ah

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://k2ygoods.ydns.eu/power.txt

Targets

    • Target

      c7eaff9d735d8eef42c73be4c093f7b31cf7d0df18c98d135eb915c13409d077.exe

    • Size

      3.8MB

    • MD5

      f6814a59c53218b84eb943ef07fcb74c

    • SHA1

      27aa1ad8dbe7040e9ba2a1499ef4ce0117728f6d

    • SHA256

      c7eaff9d735d8eef42c73be4c093f7b31cf7d0df18c98d135eb915c13409d077

    • SHA512

      41c09fdde4db7c074eeddb16a4a1716aa40e27b32cff2ce3cb0b466a357edd30d4390d6832bfe021f49638bc0bdd6697141cab6b67f7d58fd5f06efbfabc6264

    • SSDEEP

      98304:fyzs10ZzmBarm735MyHkWKA7kFCQi7MahHr5Gt40JY8:fyQfBamD5QM7Mms4ah

    • XMRig Miner payload

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Blocklisted process makes network request

    • Modifies Windows Firewall

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks