4d4f1d9ac5e7887dda018ea46753789a0c3d8e1199ea3c34502aa8da2136fe0e | Triage

Sharing

General

Target

nes1.exe
Size

75KB
Sample

220313-2tdwcsadh2
MD5

147e760e14fcb833dd6dba8aabfbe092
SHA1

8ae5369a8a95737a8efc4831f5a20ca6b2d959b6
SHA256

4d4f1d9ac5e7887dda018ea46753789a0c3d8e1199ea3c34502aa8da2136fe0e
SHA512

ebad6c551e11acef22e2952131e68dec9931a31f366d89f9d02ed63b3e479a8e6fa2eaa38b6d4c2885e1714e888124c207a7dbc4c15741f5cb11d8081d1198a5

Score

10^/10

evasion persistence spyware trojan

Malware Config

Targets

- Target
  
  nes1.exe
- Size
  
  75KB
- MD5
  
  147e760e14fcb833dd6dba8aabfbe092
- SHA1
  
  8ae5369a8a95737a8efc4831f5a20ca6b2d959b6
- SHA256
  
  4d4f1d9ac5e7887dda018ea46753789a0c3d8e1199ea3c34502aa8da2136fe0e
- SHA512
  
  ebad6c551e11acef22e2952131e68dec9931a31f366d89f9d02ed63b3e479a8e6fa2eaa38b6d4c2885e1714e888124c207a7dbc4c15741f5cb11d8081d1198a5
Score

10^/10

evasion persistence spyware trojan
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencespywaretrojan

behavioral2

evasionpersistencetrojan