General

  • Target

    FrozenPerm_CRACKED.exe

  • Size

    64.8MB

  • Sample

    241212-kljm7symcw

  • MD5

    26500f10c8ceeae8d462d6a3086ab5d3

  • SHA1

    5a61e0551ff00378c3d633170b67403e50a9d425

  • SHA256

    a8c756a4059a6be18b3a44802403fd388d938ab33677e1a6032d1c6c7741ac0b

  • SHA512

    b1198bd575726753782e85334a1250a1fce770cad303941048801a0ac2e70ae680076535faf0c37e19644d561b3b9cc77407c23a358872e7d1c17893eecfcf09

  • SSDEEP

    786432:BYS6GKaTYIGiYk+KjotgDqanrcHJB5hOq29p2DrhUcVqttPemFt/W:NmijZpgHJnhOdGrKYmFt/W

Malware Config

Targets

    • Target

      FrozenPerm_CRACKED.exe

    • Size

      64.8MB

    • MD5

      26500f10c8ceeae8d462d6a3086ab5d3

    • SHA1

      5a61e0551ff00378c3d633170b67403e50a9d425

    • SHA256

      a8c756a4059a6be18b3a44802403fd388d938ab33677e1a6032d1c6c7741ac0b

    • SHA512

      b1198bd575726753782e85334a1250a1fce770cad303941048801a0ac2e70ae680076535faf0c37e19644d561b3b9cc77407c23a358872e7d1c17893eecfcf09

    • SSDEEP

      786432:BYS6GKaTYIGiYk+KjotgDqanrcHJB5hOq29p2DrhUcVqttPemFt/W:NmijZpgHJnhOdGrKYmFt/W

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks