Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family CoinMiner
This is a Trojan CoinMiner that uses the infected system's resources to mine cryptocurrency, causing significant performance degradation. The malware uses advanced evasion techniques, including process hooking and the abuse of legitimate Windows tools (LOLBins) like PowerShell and Rundll32, to establish persistence and execute its payload.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
9e072e908725c84d710311124cbb82f59ca5ef5658014385e8fde7237cfee9837659aa27e4d739a3e1d9a1e2a4aa8b3b3bfad2459eba45ae411b532d44f92379Isolate the endpoint from the network to prevent lateral movement. Use Windows Defender to perform a full system scan and remove the detected files. Manually investigate and remove persistence mechanisms, such as suspicious Scheduled Tasks and startup entries, and reset all user and administrator passwords on the machine.