Overview

overview

10

Static

static

d97ed58ec9...07.exe

windows7-x64

10

d97ed58ec9...07.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d97ed58ec9e619ff01d120d93bae8b10b038c55bfa721aeeab49e29db3f3e207

  • Size

    480KB

  • Sample

    221002-2eppbaehen

  • MD5

    708f9621be9fb01c7a0a8df306b75a44

  • SHA1

    0fa7324d54d73331bb9074372939827fe0d73be1

  • SHA256

    d97ed58ec9e619ff01d120d93bae8b10b038c55bfa721aeeab49e29db3f3e207

  • SHA512

    d0686e2140ca65e2e927b690f5b296ce58d4daeac349ecc1e4e569d375d5f2cf7579224eec7af914222387a96a9e04662b7eeddb949bad0ca6e999fdc3a151cb

  • SSDEEP

    6144:Kj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdriondSY2:Y6onxOp8FySpE5zvIdtU+Ymef8Y2

Score
10/10
evasionpersistencetrojan

Malware Config

Targets

    • Target

      d97ed58ec9e619ff01d120d93bae8b10b038c55bfa721aeeab49e29db3f3e207

    • Size

      480KB

    • MD5

      708f9621be9fb01c7a0a8df306b75a44

    • SHA1

      0fa7324d54d73331bb9074372939827fe0d73be1

    • SHA256

      d97ed58ec9e619ff01d120d93bae8b10b038c55bfa721aeeab49e29db3f3e207

    • SHA512

      d0686e2140ca65e2e927b690f5b296ce58d4daeac349ecc1e4e569d375d5f2cf7579224eec7af914222387a96a9e04662b7eeddb949bad0ca6e999fdc3a151cb

    • SSDEEP

      6144:Kj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdriondSY2:Y6onxOp8FySpE5zvIdtU+Ymef8Y2

    Score
    10/10
    evasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

5
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks