Overview

overview

10

Static

static

3

XONE.exe

windows7-x64

7

XONE.exe

windows10-1703-x64

10

XONE.exe

windows10-2004-x64

10

XONE.exe

windows11-21h2-x64

10

XONE.pyc

windows7-x64

3

XONE.pyc

windows10-1703-x64

3

XONE.pyc

windows10-2004-x64

3

XONE.pyc

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XONE.exe

  • Size

    38.0MB

  • Sample

    240701-vrz79atdpj

  • MD5

    747325288a489b3c6863573f3e72104b

  • SHA1

    14e39695af5942d151c008b813580160604d85e3

  • SHA256

    7bfb4db002139d04fcf233d3384ba2c15c14e01d69d26327dc7ed918731b6194

  • SHA512

    0258556daf1368dd58c651df6a4fd5e028a5217282a47a63b2fbbf08e20588cab57ca578e5e288868ed00ef30de2e5a43ca099aef7431d7dcac5b5d4c5436463

  • SSDEEP

    786432:xy4byV7+uCOd9dFtuAJ1vyskeQ6T7tHckEz5lgYmErmRA+RlnS+kktWW8jz:xy4byV7+u5IATvJkb6PqL5ltm55NltWW

Score
10/10
xmrigevasionexecutionminerpersistenceprivilege_escalationpyinstallertrojanvmprotect

Malware Config

Targets

    • Target

      XONE.exe

    • Size

      38.0MB

    • MD5

      747325288a489b3c6863573f3e72104b

    • SHA1

      14e39695af5942d151c008b813580160604d85e3

    • SHA256

      7bfb4db002139d04fcf233d3384ba2c15c14e01d69d26327dc7ed918731b6194

    • SHA512

      0258556daf1368dd58c651df6a4fd5e028a5217282a47a63b2fbbf08e20588cab57ca578e5e288868ed00ef30de2e5a43ca099aef7431d7dcac5b5d4c5436463

    • SSDEEP

      786432:xy4byV7+uCOd9dFtuAJ1vyskeQ6T7tHckEz5lgYmErmRA+RlnS+kktWW8jz:xy4byV7+u5IATvJkb6PqL5ltm55NltWW

    Score
    10/10
    xmrigevasionexecutionminerpersistenceprivilege_escalationpyinstallertrojanvmprotect

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3behavioral4

    • Target

      XONE.pyc

    • Size

      1KB

    • MD5

      e87c722cf6cca0b4467c93d412d373e9

    • SHA1

      ad5378470eaaf373ea07b205990730e8f60c8082

    • SHA256

      03dec4d387d7267a2a5b16ae410dbfca535ac72b398e5c704e8aa467e5616cea

    • SHA512

      fab2b97ba7a90b4c051e03d203c97dcbd324edcf0441c76e271cb1b8d72b840df4dbadcc8f7faec53a068eadb0c691057586765c815573f8750e1746e278a78b

    Score
    3/10
    behavioral5behavioral6behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks