General
-
Target
drv.exe
-
Size
9.2MB
-
Sample
241120-s9sj1sydme
-
MD5
7847274fd4b59430dbf28f58cc80fd4b
-
SHA1
c7301085fae2ebbc3bab0508f9ab008e11b39df7
-
SHA256
20166874773083c8543bf0ad5d29933cc8a549c99537ef5c843316704a603e2e
-
SHA512
9411130993f2fc3c0293414529c0c99a8023f097aabe962337534b92e35e7f2fcf123806cbdcc87c3792fbd48440437ca3be224824d80618b3fd37f0035f58de
-
SSDEEP
196608:C9K/OiZn75u+rC2x47P/4JkyCT2SwCvWSEjnXuwHo102YFCVQGk:C9KBerL4JLCuSnwHt2JE
Malware Config
Targets
-
-
Target
drv.exe
-
Size
9.2MB
-
MD5
7847274fd4b59430dbf28f58cc80fd4b
-
SHA1
c7301085fae2ebbc3bab0508f9ab008e11b39df7
-
SHA256
20166874773083c8543bf0ad5d29933cc8a549c99537ef5c843316704a603e2e
-
SHA512
9411130993f2fc3c0293414529c0c99a8023f097aabe962337534b92e35e7f2fcf123806cbdcc87c3792fbd48440437ca3be224824d80618b3fd37f0035f58de
-
SSDEEP
196608:C9K/OiZn75u+rC2x47P/4JkyCT2SwCvWSEjnXuwHo102YFCVQGk:C9KBerL4JLCuSnwHt2JE
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Stops running service(s)
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery
Attempt to gather information on host network.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Indicator Removal
1File Deletion
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3