General

  • Target

    75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

  • Size

    397KB

  • Sample

    221129-jh1lwacf9s

  • MD5

    d1ff42bbf3cb032e645abb971be30e6c

  • SHA1

    50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85

  • SHA256

    75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

  • SHA512

    84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7

  • SSDEEP

    1536:4yh5JT8iIHLryUCkffLUsKrqGloK6votWdZGu030J49+I+CZ3wes:4c558LHnyUbT/Io7B0843X3w

Malware Config

Targets

    • Target

      75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

    • Size

      397KB

    • MD5

      d1ff42bbf3cb032e645abb971be30e6c

    • SHA1

      50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85

    • SHA256

      75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

    • SHA512

      84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7

    • SSDEEP

      1536:4yh5JT8iIHLryUCkffLUsKrqGloK6votWdZGu030J49+I+CZ3wes:4c558LHnyUbT/Io7B0843X3w

    • Modifies firewall policy service

    • Modifies security service

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables taskbar notifications via registry modification

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets file execution options in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks