Overview

overview

10

Static

static

7

f312a953f5...71.exe

windows7-x64

10

f312a953f5...71.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe

  • Size

    15.4MB

  • Sample

    241123-p6m9ca1pfj

  • MD5

    c2a14e873d47a54010d29d3208050f98

  • SHA1

    115a5076ff926500ae220cf5e3730084f8a5acf5

  • SHA256

    f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871

  • SHA512

    a3a6015a5f4971b24ef51ebbd169c36afa16ebcce6ae0cc34493ad7a9cf01478728a839198fa9b364aed2ae5cb061bff013d02cb48372aed2669c8067bdb3fd3

  • SSDEEP

    393216:kiFsmlTVA8M17MtdipJPVRHy5CKNidWk6KODEfQ:kiHjjJtspN686TuQ

Score
10/10
xmrigagilenetdiscoveryevasionexecutionminerthemidatrojanvmprotect

Malware Config

Targets

    • Target

      f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe

    • Size

      15.4MB

    • MD5

      c2a14e873d47a54010d29d3208050f98

    • SHA1

      115a5076ff926500ae220cf5e3730084f8a5acf5

    • SHA256

      f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871

    • SHA512

      a3a6015a5f4971b24ef51ebbd169c36afa16ebcce6ae0cc34493ad7a9cf01478728a839198fa9b364aed2ae5cb061bff013d02cb48372aed2669c8067bdb3fd3

    • SSDEEP

      393216:kiFsmlTVA8M17MtdipJPVRHy5CKNidWk6KODEfQ:kiHjjJtspN686TuQ

    Score
    10/10
    xmrigagilenetdiscoveryevasionexecutionminerthemidatrojanvmprotect

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks