General

  • Target

    60ee8fe843ad606c553b1235.zip

  • Size

    11.0MB

  • Sample

    210714-z5by1p7p1a

  • MD5

    fe494f077841c9775bc18b62389839ca

  • SHA1

    ce292cdfec1b1c558b8504f1785a29aefbfae2da

  • SHA256

    97274d3483a75cc397119f8004c7d46bab06533c785ccd631fa1a6bf4c57149f

  • SHA512

    72b754e436d8c234ab38f6b74bc1414b92faf3e6028ecd94e7a711ce67aea5fb78c5745dcc1ce1c3052ada3029b6c4f1655abf0878c624584f8fbaa4658c926d

Malware Config

Targets

    • Target

      START_ME.exe

    • Size

      862KB

    • MD5

      e00439037cb00b9ecd737e57e04ab66d

    • SHA1

      ca4e359d3bb2bea4ef07d5f41f51b91a9c8ec6aa

    • SHA256

      cf05c88c3f3787c4b39cf7f0b0c55964cfa297c43b1bdaae7f64246de32cdf33

    • SHA512

      1c2de9daf70b51be60616cf171efb44d29f9abf05eae12883b615b551bb452ef94eeffc4e430de768ec718f7804e3bbf95832c7d1390720394713701c5eb2ddf

    Score
    10/10
    • Modifies WinLogon for persistence

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

BITS Jobs

1
T1197

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

BITS Jobs

1
T1197

Discovery

Process Discovery

1
T1057

Tasks