General

  • Target

    obf.rar

  • Size

    4KB

  • Sample

    220925-w3wjwaghfl

  • MD5

    0839ef1f46c4b7537b2103ccf08d1fe5

  • SHA1

    487018f2cb09151573353df04814372e4b3a63fa

  • SHA256

    7998265583ba8238699fcbc3c08eeca008d52863fe294d86b2d66e951da16087

  • SHA512

    de4fb33d20664bd27b83b8c02352578c744776d2ee96ad2f911ac7b94f1b40ce64b16622955bf4399b36886c16e6c784d9a6fcdd9f2d098ea0f875ec148bdaf6

  • SSDEEP

    96:UuHVt47gGBb8rlmdFP6TIOK13XUI2wP+Nsi6m9PJ4t1PStfpmPCm:UuHz47gGBW4Fz3kIHtAutmhmj

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://rick-roll.fun/uwu/0303/Admin/cc.g

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://rick-roll.fun/uwu/0303/global/cc.g

Targets

    • Target

      obf.bat

    • Size

      27KB

    • MD5

      dd7e34f9513d20a78c9d0e1f83988adb

    • SHA1

      b6a71b528622667224033497954414ef701e7b6f

    • SHA256

      3b3a767338286c210c11c4b6fde80b6d7beb3461a9c3dbe59da4ffef023b2181

    • SHA512

      62947cbf304abfeac88df72f3c187bf65a2589fdd0092ff7af9dd3a22789136b63e89c93f9788019a9f94081b44b5012325643d0cf814835c7c5a1d36314221b

    • SSDEEP

      384:gEsU85BPAVqb4C0062BKJth4d3SBhQF+/rlvuDMDdH9JDquu+jMJ7p00sFwo17uL:gUqb4SCS8ys9Fxo

    Score
    10/10
    • Modifies WinLogon for persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

1
T1158

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Command and Control

Web Service

1
T1102

Tasks