Overview

overview

10

Static

static

3

simulation.exe

windows7_x64

10

simulation.exe

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    simulation.exe

  • Size

    10.8MB

  • Sample

    211116-rvd8eaebf8

  • MD5

    3d0dc7192a93ccc2b0b31eaacd4da6a7

  • SHA1

    21ce50989c250bf892963382f148525b3e1253c9

  • SHA256

    e235767521e6170568e8c3c3cf7b4f94b3315aec8b96d896bde9786ed492adef

  • SHA512

    9431f6a14bc3b1ec3c3b10a50b30f6bf98f92a0cd0e1b86e71bb288bb1b06212bde8ef301a4ecb5a516d3f76ef7d842f0e971c72ac9a8dcd8e04edf9bbd492cd

Score
10/10
pyinstaller

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://malwarehub.co/vault/mitre/T1059001/Invoke-Mimikatz.ps1

Targets

    • Target

      simulation.exe

    • Size

      10.8MB

    • MD5

      3d0dc7192a93ccc2b0b31eaacd4da6a7

    • SHA1

      21ce50989c250bf892963382f148525b3e1253c9

    • SHA256

      e235767521e6170568e8c3c3cf7b4f94b3315aec8b96d896bde9786ed492adef

    • SHA512

      9431f6a14bc3b1ec3c3b10a50b30f6bf98f92a0cd0e1b86e71bb288bb1b06212bde8ef301a4ecb5a516d3f76ef7d842f0e971c72ac9a8dcd8e04edf9bbd492cd

    Score
    10/10

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks