Malware Analysis Report

2025-01-18 04:56

Sample ID 241219-xyek8syjhq
Target 630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc
SHA256 630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc
Tags
miner modiloader zeppelin masslogger mountlocker xmrig execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc

Threat Level: Known bad

The file 630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc was found to be: Known bad.

Malicious Activity Summary

miner modiloader zeppelin masslogger mountlocker xmrig execution

Masslogger family

ModiLoader Second Stage

Modiloader family

Xmrig family

Zeppelin family

Detected Mount Locker ransomware

Detects Zeppelin payload

XMRig Miner payload

MassLogger log file

Mountlocker family

Command and Scripting Interpreter: JavaScript

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-19 19:15

Signatures

Detected Mount Locker ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Mountlocker family

mountlocker

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Zeppelin family

zeppelin

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-19 19:15

Reported

2024-12-20 03:56

Platform

win11-20241007-en

Max time kernel

435s

Max time network

1164s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A