General
-
Target
Haragon.exe
-
Size
7.1MB
-
Sample
241228-ghs6pawmas
-
MD5
d46351b9dd2d7343ac26100277d39ab5
-
SHA1
337a5afd39cdd91c4816df3245ce7639b290913b
-
SHA256
105bb07ccd7dad7b0e395a08372ce5467161ce13def69c248a4f9c164c624113
-
SHA512
be3ac74e908f15bb0dea907cf620325372e3075ab9b7cdce653f95404348302bbc61bcc926fdd53b83c4d72136ba5dea12444cd19fc0d37e8bd9d3e90173efc2
-
SSDEEP
196608:C9uMRRdKGI3F4nqzM7fzP2lWnVP6gskRLJxVNG9mnl4cG/U/e:UuUPkFRM3P2lWVPNL+9m+O/
Malware Config
Targets
-
-
Target
Haragon.exe
-
Size
7.1MB
-
MD5
d46351b9dd2d7343ac26100277d39ab5
-
SHA1
337a5afd39cdd91c4816df3245ce7639b290913b
-
SHA256
105bb07ccd7dad7b0e395a08372ce5467161ce13def69c248a4f9c164c624113
-
SHA512
be3ac74e908f15bb0dea907cf620325372e3075ab9b7cdce653f95404348302bbc61bcc926fdd53b83c4d72136ba5dea12444cd19fc0d37e8bd9d3e90173efc2
-
SSDEEP
196608:C9uMRRdKGI3F4nqzM7fzP2lWnVP6gskRLJxVNG9mnl4cG/U/e:UuUPkFRM3P2lWVPNL+9m+O/
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-