Overview

overview

10

Static

static

1

file01.ps1

windows10-1703-x64

10

file01.ps1

windows10-2004-x64

10

file01.ps1

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file01.ps1

  • Size

    148B

  • Sample

    240705-g492bstenk

  • MD5

    ccab7cc0213131da914474a10380dcc8

  • SHA1

    601d9886a23026652da753780d335125b9d41749

  • SHA256

    9af65b08db3c9f1a34d9951e746df61da38da630bbeee5f63f0191664b7cf768

  • SHA512

    2cf263e50f9674fde2239895d5ac9a08989e12f869030456a6bd67bd7a95be41f46f8506f7afde1b172d0b6174b0893ec2841c43020d3e1432eef1b038c5efff

Score
10/10
xmrigevasionexecutionminer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.254.97.190:2024/test.txt

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Targets

    • Target

      file01.ps1

    • Size

      148B

    • MD5

      ccab7cc0213131da914474a10380dcc8

    • SHA1

      601d9886a23026652da753780d335125b9d41749

    • SHA256

      9af65b08db3c9f1a34d9951e746df61da38da630bbeee5f63f0191664b7cf768

    • SHA512

      2cf263e50f9674fde2239895d5ac9a08989e12f869030456a6bd67bd7a95be41f46f8506f7afde1b172d0b6174b0893ec2841c43020d3e1432eef1b038c5efff

    Score
    10/10
    xmrigevasionexecutionminer

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Blocklisted process makes network request

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks