Overview

overview

10

Static

static

8

2ef41f1f43...85.exe

windows7-x64

10

2ef41f1f43...85.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe

  • Size

    411KB

  • Sample

    221112-mh924aaa6t

  • MD5

    31b407850c3c20bed39117100dbcc552

  • SHA1

    735a4acaf958402497b9e1b14ab3cb539e58889b

  • SHA256

    2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085

  • SHA512

    40814a29407c8a1ebfac7774b7c8d3bac20702467b8d7dbab6a788a1eb6547cfcdb23cafe18d7a5c59466124ac6ccaa53283d521fac9982304f816e451f10b4f

  • SSDEEP

    6144:KFT2dcBdnKqcGmkKPEoqHsyXdmxl6rOEyli/YVelQF3xIcE4IvFOs8j6EWackv5K:KAEx4EoqHsQdmxl6zbr+F3KUfaMuwc

Score
10/10
discoveryevasionexploitpersistencetrojanupx

Malware Config

Targets

    • Target

      2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe

    • Size

      411KB

    • MD5

      31b407850c3c20bed39117100dbcc552

    • SHA1

      735a4acaf958402497b9e1b14ab3cb539e58889b

    • SHA256

      2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085

    • SHA512

      40814a29407c8a1ebfac7774b7c8d3bac20702467b8d7dbab6a788a1eb6547cfcdb23cafe18d7a5c59466124ac6ccaa53283d521fac9982304f816e451f10b4f

    • SSDEEP

      6144:KFT2dcBdnKqcGmkKPEoqHsyXdmxl6rOEyli/YVelQF3xIcE4IvFOs8j6EWackv5K:KAEx4EoqHsQdmxl6zbr+F3KUfaMuwc

    Score
    10/10
    discoveryevasionexploitpersistencetrojanupx

    • Modifies system executable filetype association

      persistence

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

    • Adds policy Run key to start application

      persistence

    • Disables taskbar notifications via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Registers COM server for autorun

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Deletes itself

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Hidden Files and Directories

4
T1158

Registry Run Keys / Startup Folder

3
T1060

Modify Existing Service

2
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

11
T1112

Hidden Files and Directories

4
T1158

Bypass User Account Control

1
T1088

Disabling Security Tools

2
T1089

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Remote Desktop Protocol

1
T1076

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks