General

  • Target

    610b44ef29643f5bfc1bf571e13e92155856eabac8706f45ea040da2ed48ea14.zip

  • Size

    8.4MB

  • Sample

    220806-tb8c9agchj

  • MD5

    9f9917b360792d18c4d935c67025739b

  • SHA1

    4469fd6b131ac2ccbb1d1ce4c2d84537f7769a14

  • SHA256

    ef467b6ca714eb5d5b5fdeaa40688246412dcb2fb871b053a0cee9725ef58616

  • SHA512

    0f20b5bbe63cde72777f7d5dff07927f4031cdfa6217db86120f64a5ea38a40b4b2d1adc6381c9c06b55d26662fef8b4bfd653474fe374c392dc578aa44f6538

Malware Config

Targets

    • Target

      610b44ef29643f5bfc1bf571e13e92155856eabac8706f45ea040da2ed48ea14.bin

    • Size

      8.6MB

    • MD5

      ff95f4df8c378534fb1a0978a1af81de

    • SHA1

      4b9d7167774a89fd9cad3093341e2cab2913f96b

    • SHA256

      610b44ef29643f5bfc1bf571e13e92155856eabac8706f45ea040da2ed48ea14

    • SHA512

      0f2014cfccd29806db02c84adeb8b673b4d07b8c38795e6b47d73d91ba6c90d4645a636b6f29684fdc3a6f0aa4889645cd60b6401e82a7d22b6fc12030354db4

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Modifies Windows Firewall

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Detected potential entity reuse from brand google.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

3
T1060

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Security Software Discovery

1
T1063

Peripheral Device Discovery

2
T1120

Collection

Data from Local System

1
T1005

Tasks