Overview

overview

10

Static

static

1

20-12-2024...kj.zip

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20-12-2024_UqVE2XPvW38Pgkj.zip

  • Size

    4.3MB

  • Sample

    241220-h11txsspht

  • MD5

    cf356b163f946dc2f16d95febf45a583

  • SHA1

    e7c8e964c23f86765d729b82d3140604bb00cb7c

  • SHA256

    50d3bf20e1534889385de4b8d780a750c9d37a75c941ffae6dd961caef2eb325

  • SHA512

    baa6367011ebda751fe7ef40a49f99e96c5daf19e068b02b2cdf564477f17a792a9dc0887b9723208d0c49d55a7e1c501723643d12fee8c8dcd0d1406e65be2d

  • SSDEEP

    98304:YIv1mD5TqdFfK4iBOqWh3tWyfzbgwgGP7OZlGWwCR6t+uWiPBt1KP:YIdmFkF7iMtWKzkwgh1wc6t+cBS

Score
10/10
xmrigdefense_evasiondiscoveryevasionexecutionminerpersistenceupx

Malware Config

Targets

    • Target

      20-12-2024_UqVE2XPvW38Pgkj.zip

    • Size

      4.3MB

    • MD5

      cf356b163f946dc2f16d95febf45a583

    • SHA1

      e7c8e964c23f86765d729b82d3140604bb00cb7c

    • SHA256

      50d3bf20e1534889385de4b8d780a750c9d37a75c941ffae6dd961caef2eb325

    • SHA512

      baa6367011ebda751fe7ef40a49f99e96c5daf19e068b02b2cdf564477f17a792a9dc0887b9723208d0c49d55a7e1c501723643d12fee8c8dcd0d1406e65be2d

    • SSDEEP

      98304:YIv1mD5TqdFfK4iBOqWh3tWyfzbgwgGP7OZlGWwCR6t+uWiPBt1KP:YIdmFkF7iMtWKzkwgh1wc6t+cBS

    Score
    10/10
    xmrigdefense_evasiondiscoveryevasionexecutionminerpersistenceupx

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks