ac3ddf66ba83902207959d6aadb8b869b532ad55b15b23592531afa76d551ea4 | Triage

Sharing

General

Target

ac3ddf66ba83902207959d6aadb8b869b532ad55b15b23592531afa76d551ea4
Size

2.6MB
Sample

220521-cs2hlahecj
MD5

69819ee75ee0a9a9f1b5fddd1b787017
SHA1

2ec85d985daaa142af30cf36d051b32e1aa2ac8d
SHA256

ac3ddf66ba83902207959d6aadb8b869b532ad55b15b23592531afa76d551ea4
SHA512

e9fb1086200c839070ba2c6403051c285cb8c725ab83e084b5a54e7f197bd5e2cc46055e5304a6908fd71fd7601458f42d5f6f7a14a91d5fcb3c9057a649f167

Score

10^/10

collection evasion persistence

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mapi.diplemailsrvr.com
Port:
587
Username:
[email protected]
Password:
Banachi@1974

Targets

- Target
  
  Company Presentation~pdf.exe
- Size
  
  1.2MB
- MD5
  
  cbc2a4c4b531711337eb807fbd082adc
- SHA1
  
  f9114fe1e6ebe680831900fce56fde5ed2a748eb
- SHA256
  
  2ae247545c4291da9b83ad9ba0c6af00bd80c896a3fb9fafd028e09444bf3baf
- SHA512
  
  e5649d648c989049af1dd13c12f397483935d019e93e655801f51f642f7db8bd536c945b4ef92a1f46ff73e8e8952ddb397857c935408e52862543c0a58a92e2
Score

10^/10

collection evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Infrared Thermometer~pdf.exe
- Size
  
  1.2MB
- MD5
  
  cbc2a4c4b531711337eb807fbd082adc
- SHA1
  
  f9114fe1e6ebe680831900fce56fde5ed2a748eb
- SHA256
  
  2ae247545c4291da9b83ad9ba0c6af00bd80c896a3fb9fafd028e09444bf3baf
- SHA512
  
  e5649d648c989049af1dd13c12f397483935d019e93e655801f51f642f7db8bd536c945b4ef92a1f46ff73e8e8952ddb397857c935408e52862543c0a58a92e2
Score

10^/10

collection evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  Mask samples & qty needed~pdf.exe
- Size
  
  1.2MB
- MD5
  
  cbc2a4c4b531711337eb807fbd082adc
- SHA1
  
  f9114fe1e6ebe680831900fce56fde5ed2a748eb
- SHA256
  
  2ae247545c4291da9b83ad9ba0c6af00bd80c896a3fb9fafd028e09444bf3baf
- SHA512
  
  e5649d648c989049af1dd13c12f397483935d019e93e655801f51f642f7db8bd536c945b4ef92a1f46ff73e8e8952ddb397857c935408e52862543c0a58a92e2
Score

10^/10

collection evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionevasionpersistence

behavioral2

collectionevasionpersistence

behavioral3

collectionevasionpersistence

behavioral4

collectionevasionpersistence

behavioral5

collectionevasionpersistence

behavioral6

collectionevasionpersistence