General
-
Target
856543b98724304b70a2224a975b8760
-
Size
774KB
-
Sample
210926-s1x35sfba3
-
MD5
856543b98724304b70a2224a975b8760
-
SHA1
bb030509bcf3bd4c44d5d948cd80ca60893d9a98
-
SHA256
ba319ab5c744553d08d3e981e76445631626be828e08bfa84487ae19434912b9
-
SHA512
1d4e098399364a3b60349a0074a2067c16f20f40813991ed230343718e17d2aa79e280e55bfa7e90ff8a855b908f45a5f7fe776974ded20a3e1d06c8fb373e41
Static task
static1
Behavioral task
behavioral1
Sample
856543b98724304b70a2224a975b8760.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
856543b98724304b70a2224a975b8760.exe
Resource
win10-en-20210920
Malware Config
Targets
-
-
Target
856543b98724304b70a2224a975b8760
-
Size
774KB
-
MD5
856543b98724304b70a2224a975b8760
-
SHA1
bb030509bcf3bd4c44d5d948cd80ca60893d9a98
-
SHA256
ba319ab5c744553d08d3e981e76445631626be828e08bfa84487ae19434912b9
-
SHA512
1d4e098399364a3b60349a0074a2067c16f20f40813991ed230343718e17d2aa79e280e55bfa7e90ff8a855b908f45a5f7fe776974ded20a3e1d06c8fb373e41
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
1Install Root Certificate
1