Overview

overview

10

Static

static

INSTALL.cmd

windows11_x64

8

INSTALL.cmd

windows10_x64

1

Adobe.Acro...35.exe

windows11_x64

10

Adobe.Acro...35.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    drive-download-20211115T213206Z-001.zip_

  • Size

    528.0MB

  • Sample

    211116-v6hlraegg4

  • MD5

    6f7e3c7640a686fc98a53f00eed7433d

  • SHA1

    f56add132dd55a4e9b03a76173d279cd99ebef6f

  • SHA256

    bdbf7d7ce2696816594ee02bd4701788ece5d62ae3285884f24f6a9376a54bf9

  • SHA512

    d61eca0799eb9df2d03a6f29b38d5931ab85e89f5ad19b0f26e41333d269e44f234ec79cae410746fef82f780d5be890268b5a24caa24028bc57af0ef0f71319

Score
10/10
adwareevasionmacropersistencestealerxlm

Malware Config

Targets

    • Target

      Adobe.Acrobat.Pro.DC.v2021.001.20135.exe

    • Size

      528.3MB

    • MD5

      09b175cc20f71f078778341e8cd48d3e

    • SHA1

      68c54bed51fd40c988515cb513cf264a7166c36e

    • SHA256

      4255c508b4b857cd52ad55c6aa10bef03c5b4136d4eaae4b8c487b33df0cad3a

    • SHA512

      2e17149b814b7de16eaadaec8618fe342732e9723c2b51bbd0f1981eabcd98b350ff52c763dce4c5e3c19a78d377fd05fe1b041535c3aa6e61e771a4ce3b0192

    Score
    8/10
    persistence
    behavioral1behavioral2

    • Target

      INSTALL.cmd

    • Size

      858B

    • MD5

      4a7de61f7860f833fb261987e1212de5

    • SHA1

      1c2848c63b82dadd111addaeb15df4cf96b91136

    • SHA256

      d2ef2be21150dab436f8d64dc33c6aa2d78b1ec5dfdad076f96cfe649a5b20ed

    • SHA512

      6703f76e1e1955271f850882e9acb951f3ca35ccb96e18e99d8f1b209641242c0c154829f8d003baead8c79e5cbe1c93458572fc5df7b11f65c882f2b6b30a17

    Score
    10/10
    adwareevasionmacropersistencestealerxlm

    • Registers COM server for autorun

      persistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Registers new Print Monitor

      persistence

    • Sets file execution options in registry

      persistence

    • Sets service image path in registry

      persistence

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

6
T1060

Modify Existing Service

1
T1031

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

8
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks