General
-
Target
UnkwareF12upd.bin
-
Size
58.4MB
-
Sample
250119-2k5mqayqb1
-
MD5
ce1b4c7aaf126ea54942c5e8ad4dcbe7
-
SHA1
c3ba148562fe1923eba6317d893cd07752e5cfc3
-
SHA256
8f88794b29f5c10439f36e848db3364230a0828f4f4e44b201afe64d32a3b84e
-
SHA512
a4942558b19828b8805fbe16d7fc5afe899aaa33b975866935c33afe00ad00248540ab850b6651e95d9fd6e3cb2929675418ded5ed32a34dfddc0d95eaefe923
-
SSDEEP
1572864:+cKRa7tv/LtKBaXnigTA/kA+hBnzHK3LDGvH/Ku3CEWxCChcmTq3:IRWJLQB2igI6xq7DSfKCVlf3
Behavioral task
behavioral1
Sample
UnkwareF12upd.exe
Resource
win10v2004-20241007-uk
Behavioral task
behavioral2
Sample
UnkwareF12upd.exe
Resource
win10ltsc2021-20250113-uk
Behavioral task
behavioral3
Sample
UnkwareF12upd.exe
Resource
win11-20241007-uk
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7685274426:AAGCiG0lyyKSjROanH8sVwfPt9NV-rMnzbk/sendDocument
Targets
-
-
Target
UnkwareF12upd.bin
-
Size
58.4MB
-
MD5
ce1b4c7aaf126ea54942c5e8ad4dcbe7
-
SHA1
c3ba148562fe1923eba6317d893cd07752e5cfc3
-
SHA256
8f88794b29f5c10439f36e848db3364230a0828f4f4e44b201afe64d32a3b84e
-
SHA512
a4942558b19828b8805fbe16d7fc5afe899aaa33b975866935c33afe00ad00248540ab850b6651e95d9fd6e3cb2929675418ded5ed32a34dfddc0d95eaefe923
-
SSDEEP
1572864:+cKRa7tv/LtKBaXnigTA/kA+hBnzHK3LDGvH/Ku3CEWxCChcmTq3:IRWJLQB2igI6xq7DSfKCVlf3
-
Phemedrone family
-
Xmrig family
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-