Overview

overview

9

Static

static

IRMOutstan...02.exe

windows7_x64

9

IRMOutstan...02.exe

windows10_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    IRMOutstandingReport_1594432868602.exe

  • Size

    167KB

  • Sample

    200713-llj4q7fa22

  • MD5

    0075c01564d4a4425acccaeb9272d44f

  • SHA1

    5ac7f72aae6784a7cc2d979eed0e25afbd704ae1

  • SHA256

    83dc40c5814d63f0ff34410b5d0b73cc9eedec070af5f6934d63f73d562835f8

  • SHA512

    64d0f663b9e007204e06548542647ddcf7c1a25cc513118b2122c9d08ac20102a2703e756a8d6242f46b6be2e8b92898ad69117ade7ef79a37b63bedacb74d6d

Score
9/10
evasionpersistencespywaretrojan

Malware Config

Targets

    • Target

      IRMOutstandingReport_1594432868602.exe

    • Size

      167KB

    • MD5

      0075c01564d4a4425acccaeb9272d44f

    • SHA1

      5ac7f72aae6784a7cc2d979eed0e25afbd704ae1

    • SHA256

      83dc40c5814d63f0ff34410b5d0b73cc9eedec070af5f6934d63f73d562835f8

    • SHA512

      64d0f663b9e007204e06548542647ddcf7c1a25cc513118b2122c9d08ac20102a2703e756a8d6242f46b6be2e8b92898ad69117ade7ef79a37b63bedacb74d6d

    Score
    9/10
    persistenceevasionspywaretrojan

    • Looks for VirtualBox Guest Additions in registry

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Sets DLL path for service in the registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run entry to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies WinLogon

      persistence

    • Modifies system certificate store

      evasionspywaretrojan

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Winlogon Helper DLL

1
T1004

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks