ffea8e77c2fd8eac3dd3fa9e0bf1429a00a2f60ad1133ba12eb0e2cf118e0ae8 | Triage

Sharing

General

Target

ffea8e77c2fd8eac3dd3fa9e0bf1429a00a2f60ad1133ba12eb0e2cf118e0ae8
Size

327KB
Sample

221202-zyhzrshd51
MD5

e838a1cd4129c077f601d806a268989b
SHA1

2f986cca1fe6bf189291717e58b287f046447e43
SHA256

ffea8e77c2fd8eac3dd3fa9e0bf1429a00a2f60ad1133ba12eb0e2cf118e0ae8
SHA512

b5dc7d5849a07288e884e903e8591796c3cc7e7f73e172b0e3ae5d3e843d92f9c0c62fea69cda86d46d1082f2cea2944647515d3c9459ba0e684abefae5c781c
SSDEEP

6144:C3oPD7QO5H9Rea0tdqxgInOy8Hdu/hZJCLk7xWDNmrptKkJ:CQ7/dRhudupRgOhwixWhmrj

Score

10^/10

evasion persistence

Malware Config

Targets

- Target
  
  ffea8e77c2fd8eac3dd3fa9e0bf1429a00a2f60ad1133ba12eb0e2cf118e0ae8
- Size
  
  327KB
- MD5
  
  e838a1cd4129c077f601d806a268989b
- SHA1
  
  2f986cca1fe6bf189291717e58b287f046447e43
- SHA256
  
  ffea8e77c2fd8eac3dd3fa9e0bf1429a00a2f60ad1133ba12eb0e2cf118e0ae8
- SHA512
  
  b5dc7d5849a07288e884e903e8591796c3cc7e7f73e172b0e3ae5d3e843d92f9c0c62fea69cda86d46d1082f2cea2944647515d3c9459ba0e684abefae5c781c
- SSDEEP
  
  6144:C3oPD7QO5H9Rea0tdqxgInOy8Hdu/hZJCLk7xWDNmrptKkJ:CQ7/dRhudupRgOhwixWhmrj
Score

10^/10

evasion persistence
- Modifies firewall policy service
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

evasionpersistence