6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9 | Triage

Sharing

General

Target

618a1e3551560b86454450f3ea580029.exe
Size

584KB
Sample

200630-mw6ctwedfe
MD5

618a1e3551560b86454450f3ea580029
SHA1

39d86228750d1eebdb78f60b03c3b638acf72d34
SHA256

6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9
SHA512

d5b309a0ff9b07e74c9cee1df37a627193393de7cc0fe079ab606d94b2beac948c8d7d25378de3cf87b00c7227c70fa8e49291d6060a7254e2ce0439a09c2305

Score

10^/10

evasion miner persistence

Malware Config

Targets

- Target
  
  618a1e3551560b86454450f3ea580029.exe
- Size
  
  584KB
- MD5
  
  618a1e3551560b86454450f3ea580029
- SHA1
  
  39d86228750d1eebdb78f60b03c3b638acf72d34
- SHA256
  
  6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9
- SHA512
  
  d5b309a0ff9b07e74c9cee1df37a627193393de7cc0fe079ab606d94b2beac948c8d7d25378de3cf87b00c7227c70fa8e49291d6060a7254e2ce0439a09c2305
Score

10^/10

persistence evasion miner
- Modifies WinLogon for persistence
  persistence
- Detected Stratum cryptominer command
  Looks to be attempting to contact Stratum mining pool.
  miner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Creates new service(s)
  persistence
- Executes dropped EXE
- Deletes itself
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies service
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

New Service

Modify Existing Service

Scheduled Task

Privilege Escalation

New Service

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

persistenceevasionminer

behavioral2