Overview

overview

10

Static

static

8

65E82428E8...51.exe

windows7_x64

10

65E82428E8...51.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    u3bgJ5M1g6GCfYr.exe

  • Size

    37.6MB

  • Sample

    211106-srlczsefb5

  • MD5

    0e4e2229de6909410804f542309c07cc

  • SHA1

    cecc3055e14565a6e45a31443097d4d298b367b6

  • SHA256

    768d3452d921ae6408f0ef090c834ad6ad7ae2f8181c20bd3b0da920d2261322

  • SHA512

    afbb87590984d95fd93769ff6d68afb99ce917934d559df645c89dbb585428bd7a8effb029be1efd35fcb0395c8e05b49f908076e617d790a7c4f9ccb42e13b2

Score
10/10
adwarediscoverypersistencespywarestealerupx

Malware Config

Targets

    • Target

      65E82428E803B963CF4A5088DBE621336D95AC4709460B08729AFD598FC60151

    • Size

      37.8MB

    • MD5

      91e3098e760c1bf3103d7e8bbb1dd68d

    • SHA1

      e8e53db8efd488a4fb062c208851f60f0373a12f

    • SHA256

      65e82428e803b963cf4a5088dbe621336d95ac4709460b08729afd598fc60151

    • SHA512

      d3513049d9a3feafe7ab33695998227a85bcccc255bd488e927ff5ecb541d001568174c43b36a5764c598bf7ba974f12680c94480242a761161832e9ead53822

    Score
    10/10
    adwarediscoverypersistencespywarestealer

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Security Software Discovery

1
T1063

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks