Overview

overview

10

Static

static

3

Exexcutor/...UI.dll

windows7-x64

3

Exexcutor/...UI.dll

windows10-2004-x64

3

Exexcutor/...ta.dll

windows7-x64

1

Exexcutor/...ta.dll

windows10-2004-x64

5

Exexcutor/main.exe

windows7-x64

10

Exexcutor/main.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1272235346f764cc597a0f6456c4b59a.bin

  • Size

    45.2MB

  • Sample

    241126-bc4gkssmfr

  • MD5

    a0ba4efad1b206dda7b96e746db62327

  • SHA1

    572f273b6b59e8cd9313a4a94c847c0a36655f43

  • SHA256

    bebe54007e4e4f49da32435478a12f63915d99e47dc59033ccb32757f67aa2b0

  • SHA512

    6ac0561231e7f03a82b3e10c67af9a129292da40c5210f56c0ff4afa79baae2f421e2117d1b649d437feac8626141557411332da632f0b3914641cd65218272c

  • SSDEEP

    786432:GwDRw6n4/O3GomFFiLtDyjFTlD32Z+QhJWgMsc6MkEgWqzDvbHi52jtBuB:GjEdXmFAs5132ZDm16aPqTHRjKB

Score
10/10
xmrigcollectioncredential_accessdefense_evasiondiscoveryexecutionminerpersistenceprivilege_escalationspywarestealerupx

Malware Config

Targets

    • Target

      Exexcutor/dll/GameUI.dll

    • Size

      825KB

    • MD5

      7050fafa87936d6a22b445b2252c2364

    • SHA1

      eef08a9359dfc428b567d56528edfc2de6fb9120

    • SHA256

      5359ffc4589711c625f88ba717391a05cfa91ce273e580a26e27298ad91f38ec

    • SHA512

      50d962f491678bd900a33f889e751573a60aad70744b09fdb2de5a5433246589f45068c600e13529e99789a2e8d580d67bdde37e88db6fed78146b6582f157ae

    • SSDEEP

      24576:jS6/WAXyjzg1UuakASe87AKoXtLmlBGh9:3fCkv89f

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      Exexcutor/dll/RobloxPlayerBeta.dll

    • Size

      30.3MB

    • MD5

      37d24fd670952285ebfd71b67fd8c846

    • SHA1

      4bdbcae296df1c68791bdd73c5624a8c67de9fb7

    • SHA256

      c2473185b9a393b55bde12537d0164f3595f1940d8ed9ed612ea21f06fd7823b

    • SHA512

      544e40228267f5e59a582d6df316a6e08e9e740cd5252ac70b53901dfd1e761ff9eca72cf03fd43f2cba86e94ec2a537823b6c5cc96ef8744a302141ee64a570

    • SSDEEP

      98304:GXMt4v6+rCwLBcazmG52ZqIBnQeFJy6u93W635plyPv8UH12DEeTM46VF/Q29j4h:So+rFDmT1Q6un3a3H1s+FwGogbOqzOr

    Score
    5/10

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      Exexcutor/main.exe

    • Size

      37.2MB

    • MD5

      15753001204630c254b85fceadcb3027

    • SHA1

      ea16917f1cf19b86f53b61e032a010c607a7ed05

    • SHA256

      188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5

    • SHA512

      7dd7a7ed06139933f79ff5e298fbfa9b63f19e4c7881f55dd208261f4bf5793a9bd58de66dec60b495c40955d61c9182472840358d80ab30f73ef1ab4989d75b

    • SSDEEP

      786432:lzynVYtYYbKGk6ojijibkmr3x/Y25UQmxzgir:RYh6ouwPJX5URg

    Score
    10/10
    xmrigdiscoveryexecutionminerupxcollectioncredential_accessdefense_evasionpersistenceprivilege_escalationspywarestealer

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks