General

  • Target

    https___productmusics.com_ru53332_AIIJu19NYgQAeUACAE1ZFwASABC624QA_pdf-to-zpl-java.exe

  • Size

    3.9MB

  • Sample

    201123-p5ef5m671n

  • MD5

    da31d662e2138426ffaf2c7bbe0a27f9

  • SHA1

    ba69106c145dcfd8d5d89338a4a05833f6bf82e6

  • SHA256

    fbdcf6ebb76c84c3876adf6f8de5af5c1660aa090234f73b3af26ed15ab3ff9d

  • SHA512

    84854ed6c2265b66d0862e67ea01ae8f1fafaafdb72bf708b04f4b54a65a18aae1afdbd848dc32afc8739ec7b1f575056e36d034566c56c6c5ecb6dc9b5e35ca

Malware Config

Targets

    • Target

      https___productmusics.com_ru53332_AIIJu19NYgQAeUACAE1ZFwASABC624QA_pdf-to-zpl-java.exe

    • Size

      3.9MB

    • MD5

      da31d662e2138426ffaf2c7bbe0a27f9

    • SHA1

      ba69106c145dcfd8d5d89338a4a05833f6bf82e6

    • SHA256

      fbdcf6ebb76c84c3876adf6f8de5af5c1660aa090234f73b3af26ed15ab3ff9d

    • SHA512

      84854ed6c2265b66d0862e67ea01ae8f1fafaafdb72bf708b04f4b54a65a18aae1afdbd848dc32afc8739ec7b1f575056e36d034566c56c6c5ecb6dc9b5e35ca

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • JavaScript code in executable

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

5
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Tasks