1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca | Triage

Sharing

General

Target

1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca
Size

1016KB
Sample

221123-vkfj9scb7v
MD5

44393b585c395c719d5253ee3c31a620
SHA1

2e67a1959239c38212d2535b14933ca0509aaac1
SHA256

1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca
SHA512

52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65
SSDEEP

6144:KIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:KIXsgtvm1De5YlOx6lzBH46Umu1q

Score

10^/10

evasion persistence trojan

Malware Config

Targets

- Target
  
  1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca
- Size
  
  1016KB
- MD5
  
  44393b585c395c719d5253ee3c31a620
- SHA1
  
  2e67a1959239c38212d2535b14933ca0509aaac1
- SHA256
  
  1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca
- SHA512
  
  52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65
- SSDEEP
  
  6144:KIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:KIXsgtvm1De5YlOx6lzBH46Umu1q
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Disables RegEdit via registry modification
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

evasionpersistencetrojan