19a174d9b6bf71c97169f88c467fe07bf16f307687c30ca17c55f10fdd6c5f7b | Triage

Sharing

General

Target

19a174d9b6bf71c97169f88c467fe07bf16f307687c30ca17c55f10fdd6c5f7b
Size

1.7MB
Sample

220521-bxxjrsffhr
MD5

acdae61387e23401950405716ee65620
SHA1

ec981d49ec36adfce675baa9ae6315829cccf92d
SHA256

19a174d9b6bf71c97169f88c467fe07bf16f307687c30ca17c55f10fdd6c5f7b
SHA512

1dee358cbdbde1e4cdfa1d23f355e8310a214f46b38b1be90c2c28df9a93f1a30e4841c46635528673be1d2c9ce664217adef81b98f70240f5cdd446665cc5fa

Score

10^/10

collection evasion persistence

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mapi.diplemailsrvr.com
Port:
587
Username:
[email protected]
Password:
Banachi@1974

Targets

- Target
  
  Company presentation~pdf.exe
- Size
  
  859KB
- MD5
  
  befba058f69c91a13b001f3d15efa262
- SHA1
  
  aeebe9b13b160bcb77bca46e5acefbdf214f9e5f
- SHA256
  
  e469882fa707c3f2f85c8bdd5fe250434f3fa5169ee71f8132dce99296b99629
- SHA512
  
  13a8df597d4ddf3762731e1c9226845e33ef15595c1e9d6152edf1abfabf5a9695f911a9475f900f1862ba50009c208be613679f9ed51e4a1e698f8eab0e779a
Score

10^/10

collection evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Composition & Quantity~pdf.exe
- Size
  
  859KB
- MD5
  
  befba058f69c91a13b001f3d15efa262
- SHA1
  
  aeebe9b13b160bcb77bca46e5acefbdf214f9e5f
- SHA256
  
  e469882fa707c3f2f85c8bdd5fe250434f3fa5169ee71f8132dce99296b99629
- SHA512
  
  13a8df597d4ddf3762731e1c9226845e33ef15595c1e9d6152edf1abfabf5a9695f911a9475f900f1862ba50009c208be613679f9ed51e4a1e698f8eab0e779a
Score

10^/10

collection evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  Inquiry Items~pdf.exe
- Size
  
  859KB
- MD5
  
  befba058f69c91a13b001f3d15efa262
- SHA1
  
  aeebe9b13b160bcb77bca46e5acefbdf214f9e5f
- SHA256
  
  e469882fa707c3f2f85c8bdd5fe250434f3fa5169ee71f8132dce99296b99629
- SHA512
  
  13a8df597d4ddf3762731e1c9226845e33ef15595c1e9d6152edf1abfabf5a9695f911a9475f900f1862ba50009c208be613679f9ed51e4a1e698f8eab0e779a
Score

8^/10

collection evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionevasionpersistence

behavioral2

collectionevasionpersistence

behavioral3

collectionevasionpersistence

behavioral4

collectionevasionpersistence

behavioral5

collectionevasionpersistence

behavioral6

evasionpersistence