General
-
Target
FreeSpoofer.zip
-
Size
25.2MB
-
Sample
241222-s318kssmbw
-
MD5
395ecd48037ecc8ecc9fe07b591787a3
-
SHA1
016e11a2dab3ed2d5b588d99d33ab9dfdb95d422
-
SHA256
2e29359adc345fbef1d0a2f082d441d600d9c616586303938609d025e8ac98fb
-
SHA512
91e7f21f78848f259d2f8e43593fbbf9333a6009690ef1574104e8b7e8e129c33be8f58b6fb9412aaa9fce3198e4ea710b91c196490e6ef1ff16185028da8f11
-
SSDEEP
393216:CNyP7ixYoewSbBkqSZKxZUwZWupZNNQ6Hi14ODNNEPc9OcQbhatuz85iq/pn8cr:2yP7ZLBkNoWufA6C14EXEOVQbD8WY
Malware Config
Targets
-
-
Target
FreeSpoofer/Loader.exe
-
Size
26.4MB
-
MD5
aec49804a232eb45a7cf41e2dfef37fc
-
SHA1
5cedbd522c3c40305f6d656f57edf9b6a89d7e21
-
SHA256
deb7985a8f9a56f2dcbfdd4c5fa4732daad89ce82733818915f3a4e07c2d3b09
-
SHA512
ad9cf94db9a109e0f3a191169025c4f5ec86aca68937c373380dcb84c728b5817bf5e7bee8eea47b7cb82f5415234ab08a53f26030a5573d574477571f3a3d3d
-
SSDEEP
786432:pfjx8ZSLqcnnTNPefii+ydGI5mM3y9nEDQ:pfadJy9nQQ
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Looks for VirtualBox Guest Additions in registry
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1