20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d

Sharing

Copy URL

Twitter E-mail

General

Target

images.scr)
Size

4.5MB
Sample

241120-l9mkfazmfp
MD5

32f21ab8cf9b96e8ba86395a0edc2e4f
SHA1

2a5b3c07e32b3b2b0c1ef33a10685027703440ec
SHA256

20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d
SHA512

d7fc84e52ad671f55f07bd46a06ea3b881606f21c457e21d50bc45e08339926d13890792503d3bca46edc866f7a739cf7b845f0182ed18bcdb70bca1db011f6c
SSDEEP

98304:DMUaI9OMzejqikpYbAI7XLyhq6IvorAJKn6kD801cgl0+BhV1C8q0DBAvD:I8Oxy61y6g38ScglnBh20FMD

Score

7^/10

Malware Config

Targets

- Target
  
  images.scr)
- Size
  
  4.5MB
- MD5
  
  32f21ab8cf9b96e8ba86395a0edc2e4f
- SHA1
  
  2a5b3c07e32b3b2b0c1ef33a10685027703440ec
- SHA256
  
  20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d
- SHA512
  
  d7fc84e52ad671f55f07bd46a06ea3b881606f21c457e21d50bc45e08339926d13890792503d3bca46edc866f7a739cf7b845f0182ed18bcdb70bca1db011f6c
- SSDEEP
  
  98304:DMUaI9OMzejqikpYbAI7XLyhq6IvorAJKn6kD801cgl0+BhV1C8q0DBAvD:I8Oxy61y6g38ScglnBh20FMD
Score

7^/10

discovery persistence vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/inetc.dll
- Size
  
  21KB
- MD5
  
  d7a3fa6a6c738b4a3c40d5602af20b08
- SHA1
  
  34fc75d97f640609cb6cadb001da2cb2c0b3538a
- SHA256
  
  67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
- SHA512
  
  75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
- SSDEEP
  
  384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $R0/NsCpuCNMiner32.exe
- Size
  
  1.4MB
- MD5
  
  3afeb8e9af02a33ff71bf2f6751cae3a
- SHA1
  
  fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107
- SHA256
  
  a0eba3fda0d7b22a5d694105ec700df7c7012ddc4ae611c3071ef858e2c69f08
- SHA512
  
  11a2c12d7384d2743d25b9e28fc4ea0c3e2771aca92875fd3350f457df66c66827d175f67108f1a56d958f3b1163f3a89eedb8919bf7973d037241a1e59231d5
- SSDEEP
  
  24576:gWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:gSrwf3aZmpOFU2iQNIUc1LxGTtswgd
Score

7^/10

discovery vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  $R0/NsCpuCNMiner64.exe
- Size
  
  1.5MB
- MD5
  
  eedb9d86ae8abc65fa7ac7c6323d4e8f
- SHA1
  
  ce1fbf382e89146ea5a22ae551b68198c45f40e4
- SHA256
  
  d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
- SHA512
  
  9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
- SSDEEP
  
  24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  $R0/NsGpuCNMiner.exe
- Size
  
  1.5MB
- MD5
  
  35d2c42b6ee0acbce9dfe8cc418fe5d8
- SHA1
  
  66b965d1ee4013c80f7e0e27725e43f3d316325a
- SHA256
  
  7a2a860bb344526e8546acd172522b4d276a4647f43dd4720281d40e390b283e
- SHA512
  
  00d89a686995d7b2415f6de5786a175232606cb962744149129ed329fcbf0d4ee076e9bc1125adcaa58571ade5f22372b0bef2d2af78dd12378654e6e23b5ebf
- SSDEEP
  
  49152:FG/58i4P5hIFmiMhgmo+e5i2vkCzqYQjUs:wvw5mmed+e5hsCL+
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral11 behavioral12
- Target
  
  $R0/load.exe
- Size
  
  44KB
- MD5
  
  bc6db57b6f9118ecb27625cb7646688a
- SHA1
  
  0f864d398c98f3bde6304145b3f65fa65e62d320
- SHA256
  
  115d327daa7b69fac688a274f18629d3a0dbc92726413af45ab71e51bd03df28
- SHA512
  
  815d2195c8e8e0e4a9d922f9c6e17259be78ceda370968c2aa1a8fbc82717cdc7d255dbfa9f95e8dab931c18f03d08eef3fb0e3231a8f01cb0bfda64eb53d754
- SSDEEP
  
  768:6HJd0TpH2+bQ2dUWVX9Hfv1JMWmtLEJOyuBxG0D3mjfS3XJcM8dMkrClK1EffNHJ:6pgpHzb9dZVX9fHMvG0D3XJcMBK1KYqF
Score

7^/10

discovery
- Loads dropped DLL
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/inetc.dll
- Size
  
  21KB
- MD5
  
  d7a3fa6a6c738b4a3c40d5602af20b08
- SHA1
  
  34fc75d97f640609cb6cadb001da2cb2c0b3538a
- SHA256
  
  67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
- SHA512
  
  75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
- SSDEEP
  
  384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score

3^/10

discovery
behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Adds Run key to start application

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

VMProtect packed file

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16