General

  • Target

    40ce55fc32e014af1a815b7b6cd456c5c2c345c002c1b93278f21c9a988df6c2.zip

  • Size

    33KB

  • Sample

    210727-99rnz4nd1e

  • MD5

    45dd1854481f4d465211bb7fa027d7bd

  • SHA1

    d6fc66d50626fa983da98950629289b0ac9dfee4

  • SHA256

    47b736864cf5b609cc262f95c9570d223c8c418a7b43d1eae35fdcfadc5614d1

  • SHA512

    06921ad58649ad334ccb902b16cc94cf9175e9f8216592775adc033b84cfd68b267c2f685ea91489ebfbf81c6dd19d1287fe9cf819f6bde852e0634eff9fbf4f

Malware Config

Targets

    • Target

      40ce55fc32e014af1a815b7b6cd456c5c2c345c002c1b93278f21c9a988df6c2

    • Size

      36KB

    • MD5

      022af75a77f7ccd7aa5748f9e70ab38a

    • SHA1

      b5f6b5dedc23f6b763234079ca51dfd403e6c674

    • SHA256

      40ce55fc32e014af1a815b7b6cd456c5c2c345c002c1b93278f21c9a988df6c2

    • SHA512

      60d36a940794cffbce14e8526a8ae4fb05ecac38527059de37898582b4868876e1d9224bd2e6f723c903d9fc0580b94deebdab913023693506111d38c11098e1

    • Modifies WinLogon for persistence

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • UAC bypass

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Adds policy Run key to start application

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Modifies WinLogon

    • Program crash

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

2
T1004

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

6
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks