General
-
Target
a4863b8da0f8b001d7c28b956139e23f.exe
-
Size
1.3MB
-
Sample
211205-agtmhabggl
-
MD5
a4863b8da0f8b001d7c28b956139e23f
-
SHA1
7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4
-
SHA256
c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181
-
SHA512
8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d
Static task
static1
Behavioral task
behavioral1
Sample
a4863b8da0f8b001d7c28b956139e23f.exe
Resource
win7-en-20211104
Malware Config
Targets
-
-
Target
a4863b8da0f8b001d7c28b956139e23f.exe
-
Size
1.3MB
-
MD5
a4863b8da0f8b001d7c28b956139e23f
-
SHA1
7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4
-
SHA256
c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181
-
SHA512
8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-