General

  • Target

    44eefb6a1b37a2b9a995dccb68256de752fb11fa1125a7fc3f2db95b1cccd2f1

  • Size

    300KB

  • Sample

    220707-v98x4sdcgq

  • MD5

    374147a63ee6abc639d32022f1484050

  • SHA1

    a4fab1a0c5cccba2fdfef7cd0ea864ad59899d85

  • SHA256

    44eefb6a1b37a2b9a995dccb68256de752fb11fa1125a7fc3f2db95b1cccd2f1

  • SHA512

    89aea9c3b0b9097e64504cd38057d420c911b6d54045d4ac1030895a73e61767640988782787f788d09c6e63becd048afcd5fe86f1360bc2951e1464abec3e2e

Malware Config

Targets

    • Target

      44eefb6a1b37a2b9a995dccb68256de752fb11fa1125a7fc3f2db95b1cccd2f1

    • Size

      300KB

    • MD5

      374147a63ee6abc639d32022f1484050

    • SHA1

      a4fab1a0c5cccba2fdfef7cd0ea864ad59899d85

    • SHA256

      44eefb6a1b37a2b9a995dccb68256de752fb11fa1125a7fc3f2db95b1cccd2f1

    • SHA512

      89aea9c3b0b9097e64504cd38057d420c911b6d54045d4ac1030895a73e61767640988782787f788d09c6e63becd048afcd5fe86f1360bc2951e1464abec3e2e

    • suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24

      suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Deletes itself

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks