General
-
Target
c4676bb1da6a69d61b5307efaeb17b94b5187729520c479cf6b03b70c7a55631.exe
-
Size
4.3MB
-
Sample
241125-mzrxvazkdj
-
MD5
bbb6e4d3f25b0d87d5cdc14915638b20
-
SHA1
f96659c6a60fee226949479d80b3b8642ff89687
-
SHA256
c4676bb1da6a69d61b5307efaeb17b94b5187729520c479cf6b03b70c7a55631
-
SHA512
efbd11ff8d6142f2878d5699ae25f45c65f255c35ac515cdd3c2eed9742df9780c18ab79bae7bb247dab3db5d11a6a7183f7878faad9a0e35f9f43598c53d72b
-
SSDEEP
49152:ogvUQRjHqNEODi4lyLAiaPK2eVn0a4FKW12k9hnOru+2:PvUQRwx249iaMVn0vQWMkbnOS+2
Malware Config
Targets
-
-
Target
c4676bb1da6a69d61b5307efaeb17b94b5187729520c479cf6b03b70c7a55631.exe
-
Size
4.3MB
-
MD5
bbb6e4d3f25b0d87d5cdc14915638b20
-
SHA1
f96659c6a60fee226949479d80b3b8642ff89687
-
SHA256
c4676bb1da6a69d61b5307efaeb17b94b5187729520c479cf6b03b70c7a55631
-
SHA512
efbd11ff8d6142f2878d5699ae25f45c65f255c35ac515cdd3c2eed9742df9780c18ab79bae7bb247dab3db5d11a6a7183f7878faad9a0e35f9f43598c53d72b
-
SSDEEP
49152:ogvUQRjHqNEODi4lyLAiaPK2eVn0a4FKW12k9hnOru+2:PvUQRwx249iaMVn0vQWMkbnOS+2
Score10/10-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
2Clear Persistence
1Clear Windows Event Logs
1Modify Registry
1