General

  • Target

    XMLFC-NI_91DJ5RXT45MRGZKFBZKILT.zip

  • Size

    123KB

  • Sample

    210304-hl1hv6sjf2

  • MD5

    ed25aee4e84e423bb83ff948ab942abf

  • SHA1

    5459addf59562e0c920c793fcc95e2792cf66eb9

  • SHA256

    a8c35c7bd501ca58d64791fbb065d32c3265440a78995f3fdccf7da0f77aa7c4

  • SHA512

    562f93fd3912969fe1b824f95f035e8f99c814c4c437871a018c56519e793affba3068c36176b6909c97e263d3407827a26faa67a45e023627a090065d6171ec

Malware Config

Targets

    • Target

      XMLFC-NI_91.msi

    • Size

      268KB

    • MD5

      ea216c4397537df9d792c82c852796fa

    • SHA1

      c9706304fa18ff3640f4f4db414f026b4de4cbee

    • SHA256

      eb1cc652821c6f0665e79abe6dffee13461ffd001a331ffc6752460b7e2d073d

    • SHA512

      32c00bf837c78c4e4c6e14fd57ee658100547231255aa08cafd4ff9e65455c79e6c405e3b2574da2f422253a32f5a185d41edaad1d0e33c08744514e84cf7e1a

    • Blocklisted process makes network request

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks