Overview

overview

10

Static

static

d20cdf0a96...21.exe

windows7-x64

10

d20cdf0a96...21.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    d20cdf0a9602c8503270e51bac60f2c755e8b5a54a4ce0646cf8cc61caef2521

  • Size

    1016KB

  • Sample

    221029-x1gtdacccq

  • MD5

    a376e6995a4a3bfaecbb0fa8c444c4a0

  • SHA1

    ca185ede4981a792dd1fc3e7222c3ebd89733ddf

  • SHA256

    d20cdf0a9602c8503270e51bac60f2c755e8b5a54a4ce0646cf8cc61caef2521

  • SHA512

    7316171cc7a4cb36f277cad818dd66a1da0c32991f8b684b592b021e758ea81fa0e7d49ef5ec4453d8964c99a8149f9df6fe0be464030abd825766b0f58e8f6b

  • SSDEEP

    6144:CIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:CIXsgtvm1De5YlOx6lzBH46Umu1q

Score
10/10
evasionpersistencetrojan

Malware Config

Targets

    • Target

      d20cdf0a9602c8503270e51bac60f2c755e8b5a54a4ce0646cf8cc61caef2521

    • Size

      1016KB

    • MD5

      a376e6995a4a3bfaecbb0fa8c444c4a0

    • SHA1

      ca185ede4981a792dd1fc3e7222c3ebd89733ddf

    • SHA256

      d20cdf0a9602c8503270e51bac60f2c755e8b5a54a4ce0646cf8cc61caef2521

    • SHA512

      7316171cc7a4cb36f277cad818dd66a1da0c32991f8b684b592b021e758ea81fa0e7d49ef5ec4453d8964c99a8149f9df6fe0be464030abd825766b0f58e8f6b

    • SSDEEP

      6144:CIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:CIXsgtvm1De5YlOx6lzBH46Umu1q

    Score
    10/10
    evasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks