General

  • Target

    39cb1b5b48070a2e442352125d217f0d8cfd8bf36c74b37db2b4f3085a553be5.lnk

  • Size

    1008KB

  • Sample

    241112-s52l5avkdv

  • MD5

    578731c4c92cf8d0ee9e1a5ae45cf851

  • SHA1

    1d0e1a804eda29d2404ec6bb55eddff8c89449de

  • SHA256

    39cb1b5b48070a2e442352125d217f0d8cfd8bf36c74b37db2b4f3085a553be5

  • SHA512

    cc5cd99b5d29dd0188958c995bbb2e6860106252f4bf730729e4cbba45cf4f90c1828fa2fc94e86571f57e8d7bf835c036a9bef904e17d8ac34a9183910b6766

  • SSDEEP

    384:oIZEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFf:tI

Malware Config

Targets

    • Target

      39cb1b5b48070a2e442352125d217f0d8cfd8bf36c74b37db2b4f3085a553be5.lnk

    • Size

      1008KB

    • MD5

      578731c4c92cf8d0ee9e1a5ae45cf851

    • SHA1

      1d0e1a804eda29d2404ec6bb55eddff8c89449de

    • SHA256

      39cb1b5b48070a2e442352125d217f0d8cfd8bf36c74b37db2b4f3085a553be5

    • SHA512

      cc5cd99b5d29dd0188958c995bbb2e6860106252f4bf730729e4cbba45cf4f90c1828fa2fc94e86571f57e8d7bf835c036a9bef904e17d8ac34a9183910b6766

    • SSDEEP

      384:oIZEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFf:tI

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks