Overview

overview

10

Static

static

test.txt

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    test.txt

  • Size

    24B

  • Sample

    221031-s2fkgscbdk

  • MD5

    72ac6b145b3de2b79610e9b39258add5

  • SHA1

    aa0fd3752e36025df7d7211751698f0ce479fe6c

  • SHA256

    a9856e65f19163038d45af5238f337abb25421b464a393d8e9af4b378228f90e

  • SHA512

    a3d3eedf67f4b4a56ebc5a92f866f0510a92f6a7fd3ca08e6d5ba847a0ace8d85a50c2569f16c73cfa56192b522d08fcb9fc8cf2258096cdeaebf256ae29b036

Score
10/10
adwarediscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20400/i640.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20400/i641029.cab

Targets

    • Target

      test.txt

    • Size

      24B

    • MD5

      72ac6b145b3de2b79610e9b39258add5

    • SHA1

      aa0fd3752e36025df7d7211751698f0ce479fe6c

    • SHA256

      a9856e65f19163038d45af5238f337abb25421b464a393d8e9af4b378228f90e

    • SHA512

      a3d3eedf67f4b4a56ebc5a92f866f0510a92f6a7fd3ca08e6d5ba847a0ace8d85a50c2569f16c73cfa56192b522d08fcb9fc8cf2258096cdeaebf256ae29b036

    Score
    10/10
    adwarediscoveryevasionpersistencespywarestealertrojanupx

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Registers COM server for autorun

      persistence

    • Sets file execution options in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks