Overview

overview

10

Static

static

93d1a18e13...7d.exe

windows7-x64

10

93d1a18e13...7d.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    93d1a18e13f950cc0e1f75adf74062eef13eca4726f133e51ad318ea08bd237d

  • Size

    1016KB

  • Sample

    221020-s2lrhabeep

  • MD5

    96920dc87a26d597f59a395361f4bda0

  • SHA1

    d769e140b957a2ca2da455af564f4f66b01dbda0

  • SHA256

    93d1a18e13f950cc0e1f75adf74062eef13eca4726f133e51ad318ea08bd237d

  • SHA512

    fee9c806776855e041a437703cf805d99e4125f2b0d7c3076ab825378f9029154aae2cdbc417310b53b3f4dd8bb22e44a37b5254b7e7fab2a8d2951bfdc4877d

  • SSDEEP

    6144:TIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:TIXsgtvm1De5YlOx6lzBH46U

Score
10/10
evasionpersistencetrojan

Malware Config

Targets

    • Target

      93d1a18e13f950cc0e1f75adf74062eef13eca4726f133e51ad318ea08bd237d

    • Size

      1016KB

    • MD5

      96920dc87a26d597f59a395361f4bda0

    • SHA1

      d769e140b957a2ca2da455af564f4f66b01dbda0

    • SHA256

      93d1a18e13f950cc0e1f75adf74062eef13eca4726f133e51ad318ea08bd237d

    • SHA512

      fee9c806776855e041a437703cf805d99e4125f2b0d7c3076ab825378f9029154aae2cdbc417310b53b3f4dd8bb22e44a37b5254b7e7fab2a8d2951bfdc4877d

    • SSDEEP

      6144:TIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:TIXsgtvm1De5YlOx6lzBH46U

    Score
    10/10
    evasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks