General

  • Target

    74bd0a0f99f46bfc7106edc3f4d360d9c0bdcba209cbedb685f2131c9482cc3b

  • Size

    145KB

  • Sample

    220524-sae5msagfl

  • MD5

    598216c1f4df42b96265e40d826a029b

  • SHA1

    5299280a7093ece1ce4cc8bd9dbbd57115cf93a2

  • SHA256

    74bd0a0f99f46bfc7106edc3f4d360d9c0bdcba209cbedb685f2131c9482cc3b

  • SHA512

    ea4d008e55c16157e1374b03d142ddb34fe219114f42c6f49fb0f9b0a7c9e0abe5be0e97162a2fe820ec7b7d3a8daa4acdf2324df44445d1190e23da1a0d59b2

Malware Config

Targets

    • Target

      74bd0a0f99f46bfc7106edc3f4d360d9c0bdcba209cbedb685f2131c9482cc3b

    • Size

      145KB

    • MD5

      598216c1f4df42b96265e40d826a029b

    • SHA1

      5299280a7093ece1ce4cc8bd9dbbd57115cf93a2

    • SHA256

      74bd0a0f99f46bfc7106edc3f4d360d9c0bdcba209cbedb685f2131c9482cc3b

    • SHA512

      ea4d008e55c16157e1374b03d142ddb34fe219114f42c6f49fb0f9b0a7c9e0abe5be0e97162a2fe820ec7b7d3a8daa4acdf2324df44445d1190e23da1a0d59b2

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Modifies Windows Defender Real-time Protection settings

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Windows security modification

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Tasks