General

  • Target

    b3d279a0e5ebe89c26bb9f15f6d2c13234cbc81d43ab43b781cac355f21d20e1

  • Size

    841KB

  • Sample

    220521-w665sabag6

  • MD5

    5afba39f60b9df41fd44ff65f23f21ab

  • SHA1

    9f35885766fd63cb44dceef3e49960c58d10ecb8

  • SHA256

    b3d279a0e5ebe89c26bb9f15f6d2c13234cbc81d43ab43b781cac355f21d20e1

  • SHA512

    264b83b68c655ba2fa4073f8653117e77d22d3fd78b4e292ccc91edd978be93bf5860101c65d6a8df1dde20a44f3560adc240e1f7ef0613d97e121cffff28cba

Malware Config

Targets

    • Target

      ??QQ????.url

    • Size

      126B

    • MD5

      9f36733525857a875b9aa9b0dc78da08

    • SHA1

      9b7bf725cc7a90bf159ad1958b043adb16e36a9e

    • SHA256

      97c3de62e4bf28be46b48a65a349d3ab190ebad5602b8c6e92230d0a1c432ad2

    • SHA512

      72cb12cd8257add1e58d436f69c1f9d6cbfe515a172608943f30e46db376be5873a0ba6c58f81a269b6758419a4ea6b56cfd2dc40d86b4ffab47f0e90815ac85

    • Target

      Temp.exe

    • Size

      1.7MB

    • MD5

      7f915b8e7ad0130c05398792187d115f

    • SHA1

      df292be5f2d3f3076d5c563375359c5d4d06e1b7

    • SHA256

      c83827b5f37172f7023641b9089da7ca3f424f113501d74809974d3053eb406f

    • SHA512

      ce029ffd4c1c699fdc023466b9dbe645f609fe60f9340deb95eab5d3becd780a9492df828f8964181992c86197f9f808e2ba1d28bf30c0207bbde796bf60a261

    Score
    8/10
    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

4
T1112

Discovery

System Information Discovery

7
T1082

Query Registry

4
T1012

Tasks