General

  • Target

    e30472c94357090f0be7e4baa072fe68d17a1b46d20948768c1af7aa811bb040

  • Size

    832KB

  • Sample

    221003-p2npbagag4

  • MD5

    66805b538e88764367a3dcdfd88283a0

  • SHA1

    3ed7e44b1985bb215da47a03cee573705f870b31

  • SHA256

    e30472c94357090f0be7e4baa072fe68d17a1b46d20948768c1af7aa811bb040

  • SHA512

    c4e35549adac9fe19cd5ef5dcc75de56c515e5eb1478dee52ab893bf9e17ed8a64f1b9efb19ee1c81349c6bc0cacd19681151167df979a8387e35ac965dd98ab

  • SSDEEP

    12288:AgkDxdkL+6JNgKVcRa+fpHyWs3OBH4pUYJPfZQ:mxsKXa+hHyWseBgzm

Malware Config

Targets

    • Target

      e30472c94357090f0be7e4baa072fe68d17a1b46d20948768c1af7aa811bb040

    • Size

      832KB

    • MD5

      66805b538e88764367a3dcdfd88283a0

    • SHA1

      3ed7e44b1985bb215da47a03cee573705f870b31

    • SHA256

      e30472c94357090f0be7e4baa072fe68d17a1b46d20948768c1af7aa811bb040

    • SHA512

      c4e35549adac9fe19cd5ef5dcc75de56c515e5eb1478dee52ab893bf9e17ed8a64f1b9efb19ee1c81349c6bc0cacd19681151167df979a8387e35ac965dd98ab

    • SSDEEP

      12288:AgkDxdkL+6JNgKVcRa+fpHyWs3OBH4pUYJPfZQ:mxsKXa+hHyWseBgzm

    • Modifies WinLogon for persistence

    • UAC bypass

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks