xmrig

General

Target

Release.rar
Size

37.4MB
Sample

250108-3dp45azqhl
MD5

050f8a0271b995d32019c0c08a43cf41
SHA1

2e99201dc20df565b5d2c3a6178f924b53a72a52
SHA256

5c0a9b754b17c068462ad39692c24cd79570203ef1da2aa5470c3db33f0f87b9
SHA512

78e6d129117f7530b142bcd2d829d3ca8c10740d1ec3903e322583f8b2ec5de5754934f5e4a3b3e6e4d48148cc64c7fad2db38ce9633679027a070b1d7259d26
SSDEEP

786432:nOP90ogsUat0H2YqYSPr8X5dlCr1ZJMCVVDVc5VXwzFo2ZcYfrM:OPiiYqjPEK1kCVVDqb04

Score

10^/10

Malware Config

Targets

- Target
  
  Release/dlls/fortnite_undetected.dll
- Size
  
  609KB
- MD5
  
  81b84eebbfa9bdadc4f657863ce35e7c
- SHA1
  
  c3be75fdc41791679cf073ba652123b63d26c416
- SHA256
  
  a3d2ffc09ef0582cd4e72cd2117cf647a190d2bfb8dc3f36dd6ad72a3161c155
- SHA512
  
  8127427064f5695c349ce69838a6916c6f792192a5e692eff8f53fdaa4943f4245d173c95838b10e91542bd264f9638f869fb76669b2af8be2e134687545a073
- SSDEEP
  
  12288:U4sF+HRf6NFkPcFn00xygoLOk1nqMYqRg7SUqN9z:I+xf6cPcFnBsLOk1nqMJbUsl
Score

3^/10

discovery
behavioral1
- Target
  
  Release/loader.exe
- Size
  
  38.0MB
- MD5
  
  b61aa7f007f4d56b0638abfcd9a5df4e
- SHA1
  
  b58600ad6f8c44c6f1953b6de31f002318cc53f1
- SHA256
  
  83ffb625219bd357151df767150728180f0e362c11e56820eaa31ad90a2ae87c
- SHA512
  
  4d47833de9634937935d6e1cc368259b0c85d79d221090fc338fa60ed104afeaf900941f207f971c415fe654b4d04d19ed92f2e81139bee52c449815e05e38f9
- SSDEEP
  
  786432:1waM5TIb9dn18GCdS/EW9u8m9GG+K+PoBY0sLvZu7DM:BM5Q91uGCE/EYu14PK+Pj0m+
Score

10^/10

xmrig microsoft defense_evasion discovery evasion execution miner persistence phishing privilege_escalation pyinstaller ransomware upx
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Renames multiple (102) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Detected potential entity reuse from brand MICROSOFT.
  phishing microsoft
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2