General
-
Target
FrozenPerm_CRACKED.exe
-
Size
64.8MB
-
Sample
241212-y6cbhsykhk
-
MD5
26500f10c8ceeae8d462d6a3086ab5d3
-
SHA1
5a61e0551ff00378c3d633170b67403e50a9d425
-
SHA256
a8c756a4059a6be18b3a44802403fd388d938ab33677e1a6032d1c6c7741ac0b
-
SHA512
b1198bd575726753782e85334a1250a1fce770cad303941048801a0ac2e70ae680076535faf0c37e19644d561b3b9cc77407c23a358872e7d1c17893eecfcf09
-
SSDEEP
786432:BYS6GKaTYIGiYk+KjotgDqanrcHJB5hOq29p2DrhUcVqttPemFt/W:NmijZpgHJnhOdGrKYmFt/W
Behavioral task
behavioral1
Sample
FrozenPerm_CRACKED.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
FrozenPerm_CRACKED.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
FrozenPerm_CRACKED.exe
-
Size
64.8MB
-
MD5
26500f10c8ceeae8d462d6a3086ab5d3
-
SHA1
5a61e0551ff00378c3d633170b67403e50a9d425
-
SHA256
a8c756a4059a6be18b3a44802403fd388d938ab33677e1a6032d1c6c7741ac0b
-
SHA512
b1198bd575726753782e85334a1250a1fce770cad303941048801a0ac2e70ae680076535faf0c37e19644d561b3b9cc77407c23a358872e7d1c17893eecfcf09
-
SSDEEP
786432:BYS6GKaTYIGiYk+KjotgDqanrcHJB5hOq29p2DrhUcVqttPemFt/W:NmijZpgHJnhOdGrKYmFt/W
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3