General

  • Target

    7D1E.exe

  • Size

    823KB

  • Sample

    210504-e7shvt3z8n

  • MD5

    98aeb8fcd1eae79f983087721305aa9f

  • SHA1

    87c013f1cd71a20836c5a2ba7f7206ce1fd64a5f

  • SHA256

    712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913

  • SHA512

    bd470e8e0ec1042cc6cdea479e23aa41ee3698b2c383dbdb32f5333cb734d5bfcb49128be854829c54cd4e1f78c0566387675913d6dd196cc3a9221501419b2e

Malware Config

Targets

    • Target

      7D1E.exe

    • Size

      823KB

    • MD5

      98aeb8fcd1eae79f983087721305aa9f

    • SHA1

      87c013f1cd71a20836c5a2ba7f7206ce1fd64a5f

    • SHA256

      712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913

    • SHA512

      bd470e8e0ec1042cc6cdea479e23aa41ee3698b2c383dbdb32f5333cb734d5bfcb49128be854829c54cd4e1f78c0566387675913d6dd196cc3a9221501419b2e

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

System Information Discovery

1
T1082

Tasks