86738054740a62a605183fc15ab4ab5b832229ed8cfb71219eba2b3e726846ad | Triage

Resubmissions

09-06-2022 12:32

220609-pqk42sgafn 8

22-10-2021 13:33

211022-qtlenabfg4 10

Sharing

General

Target

test app.rar
Size

6.2MB
Sample

211022-qtlenabfg4
MD5

98df29493c6aef30c6eb80e37bb8b5da
SHA1

88ffcfb4d519b822968703314245387790e5d647
SHA256

86738054740a62a605183fc15ab4ab5b832229ed8cfb71219eba2b3e726846ad
SHA512

7377a72b1af08faaa9df6d89db2a78deb1aaa098b6679ba036b3eec491e0d5d339ed03f840077a39f77b43fb29090ca51ffec7bfd99fd724356740949abdabd2

Score

10^/10

adware discovery persistence stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.ICGROUP.ge
Port:
25
Username:
donotreply@euroins.ge
Password:
k9y5DnUX

Targets

- Target
  
  Microsoft.Data.SqlClient.SNI.dll
- Size
  
  485KB
- MD5
  
  ba17b0cb8cfc07450b57985eb653472e
- SHA1
  
  3715c61710107e1017aae39575215ab627a3b3c0
- SHA256
  
  e4e54af0a161691ca9f0cd13fcc1ebd00f9dc87e3954a7ecae3d77acc1559e41
- SHA512
  
  60e29abc651025936b1343c98f1b1d9eae70e8de42b68aba57eb13cb9256e5ea8f0729439f169f34d12fb83db9d2d29b5fbb3d87621d7e938ad9c164d67aae94
Score

10^/10

adware discovery persistence stealer
- Registers COM server for autorun
  persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  Microsoft.Data.SqlClient1.SNI.dll
- Size
  
  675KB
- MD5
  
  dfde64f838d2028f7815c43b01585288
- SHA1
  
  9ce0141a1964b98f1c9374279cd013c37ba0a221
- SHA256
  
  308a74ac7806a1d91f88d7f026364883127c6d38f925bb462f368db8b13da9f6
- SHA512
  
  983b0215f4fcefe6cbb9e1e7ec84dc2549521a313b6b08a0eee8860d51e634909558e95e62f39ea8c907a360d7481e1cc3f4484cee7ea77083d5688175b963d2
Score

8^/10

persistence
- Sets service image path in registry
  persistence
behavioral3 behavioral4
- Target
  
  TestConsoleApp.dll
- Size
  
  14KB
- MD5
  
  7a58b082b28f6e64bd489fd9f35d31f8
- SHA1
  
  f4b199ede47447669c30903795bf7a34e88aae79
- SHA256
  
  73e3e9038a92b84cb9c960b59d523815c12305f0195c02befdd3464cc138a2aa
- SHA512
  
  a6a448ebdb14f3f91b28e06f56db8ab6430fce049e48cce9ebfd7d6284ed5d6f8a1f284028a9d33c5530a758ba9b8aa9ff50bfddadd6b255316ca413b99aa584
Score

1^/10
behavioral5 behavioral6
- Target
  
  TestConsoleApp.exe
- Size
  
  18.2MB
- MD5
  
  4aeb4fe28b6d716e649dbae4ae97c6af
- SHA1
  
  7554105c37c957dda0dffee52bdfef126f0dd1f0
- SHA256
  
  998e33e7aef697081a142af6497b4044765522c470cc67d57ed294a3c7e15637
- SHA512
  
  51e46cc5b9932a888f6efa6d02acccd50ee0ea398c63cb00b3688feac86b6083123f3b4a94aad486149fe1f788882c57707af69eeaed08c3c2b5af329aac9909
Score

8^/10

persistence
- Sets service image path in registry
  persistence
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

adwarediscoverypersistencestealer

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8