General
-
Target
15753001204630c254b85fceadcb3027.bin
-
Size
37.2MB
-
Sample
241126-bc9ctssmgp
-
MD5
02e2f4710cbc11f8fa1646970eda1705
-
SHA1
5ca6b796bc5d838ba04028c7f20dbeca8e682d86
-
SHA256
969bee60460797f1ed3755ab03923efa5039c1d2405f56dd0ffbaefe0fb87ea6
-
SHA512
e6505b038c81b567af2eb18cfa95785fb7cbde0de584c4185f5da60546b4ac6043b904bb688bb9fd4a06e93f1d9c099d237823fe967ae2086072d71b1c1df60a
-
SSDEEP
786432:Yg7dcJfWt7A4SfvJG7HvlVbXoF//dVaeWjRpeqZaWtpW:uJfWt2xiDMFNgpVZTW
Malware Config
Targets
-
-
Target
188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5.exe
-
Size
37.2MB
-
MD5
15753001204630c254b85fceadcb3027
-
SHA1
ea16917f1cf19b86f53b61e032a010c607a7ed05
-
SHA256
188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5
-
SHA512
7dd7a7ed06139933f79ff5e298fbfa9b63f19e4c7881f55dd208261f4bf5793a9bd58de66dec60b495c40955d61c9182472840358d80ab30f73ef1ab4989d75b
-
SSDEEP
786432:lzynVYtYYbKGk6ojijibkmr3x/Y25UQmxzgir:RYh6ouwPJX5URg
Score10/10-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3