Overview

overview

10

Static

static

1

loader_317799163.exe

windows7_x64

8

loader_317799163.exe

windows10_x64

10

tesetup.exe

windows7_x64

9

tesetup.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    loader_317799163.zip

  • Size

    11.1MB

  • Sample

    210215-9j5dw6pstn

  • MD5

    f838218d65b669e0f6fb97b9bd5ae90f

  • SHA1

    98b821a94074bb47e4c0d94304685df1776b233e

  • SHA256

    b07da492ff578ba099dd0f36d63422d10d4b9760c8940903533d16703f28ed23

  • SHA512

    0f7edbb2b318f52cdd86501198e061c8ea78efc73bc698559f0611f41969811a315a3dade937406cf09ab439ea06e2ae6d039120f6978b491969a3e78e3cdeaa

Score
10/10
bootkitdiscoveryevasionpersistencespywaretrojanupx

Malware Config

Targets

    • Target

      loader_317799163.exe

    • Size

      2.8MB

    • MD5

      e58cb8a7ae78f7abd5e796a7731e3ce8

    • SHA1

      ee2089c209a0f6ef2b1733f80b355b55c78347fd

    • SHA256

      73d69d476d0e8c1656d87df24a5c92d4dffe3940ae9275fd2d09271f1f5b123f

    • SHA512

      d2fc454bb1754972db07bd86a580534cceefb00a8c3d2c1b3fa25bc786e2431b817e3870cf36346105cfadbce8bb811266058041e0990aac25d6cd4e45d2d671

    Score
    10/10

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

    • Target

      tesetup.exe

    • Size

      8.5MB

    • MD5

      e2117b1bcb242413dac0c2ab781185cf

    • SHA1

      87b125bd59fc9ff51e2b34ce7af0fcb63e4a906b

    • SHA256

      17f049fecfce6461a398d914d6c265d0e0a074fa601310698b436445135b4797

    • SHA512

      abdeb1512b4b4488b6b1c9fb0bfeba3cd5dae3eb3ac25d530497fd7cde4dc1dccd3fbc953afef404234b6c79e1d128b70807a332c54684cf17168b4eaba56362

    Score
    10/10
    discoveryspywareupxbootkitevasionpersistencetrojan

    • Registers COM server for autorun

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

4
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks