Overview

overview

10

Static

static

9aa8b76949...d0.exe

windows7-x64

10

9aa8b76949...d0.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    9aa8b7694959679a2264861f7883e632b2c9800284d7330b2488e53e73790cd0

  • Size

    524KB

  • Sample

    221203-14zp5sdh4v

  • MD5

    ebe54cadbfe6c8ea2875687783ec18d8

  • SHA1

    43980d941d21e678edb6a8a64430673b898225f6

  • SHA256

    9aa8b7694959679a2264861f7883e632b2c9800284d7330b2488e53e73790cd0

  • SHA512

    cd0cb8785f395787bcdee55c2b00d809e20c462b4962b886ff0b0342759ede63d4ed3ac6e3aba6ff95ef49a4306139a54dde407a9d80b97e667e0050655605a3

  • SSDEEP

    6144:cxIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUSCnDU:cxIXsgtvm1De5YlOx6lzBH46Ut4

Score
10/10
evasionpersistencetrojan

Malware Config

Targets

    • Target

      9aa8b7694959679a2264861f7883e632b2c9800284d7330b2488e53e73790cd0

    • Size

      524KB

    • MD5

      ebe54cadbfe6c8ea2875687783ec18d8

    • SHA1

      43980d941d21e678edb6a8a64430673b898225f6

    • SHA256

      9aa8b7694959679a2264861f7883e632b2c9800284d7330b2488e53e73790cd0

    • SHA512

      cd0cb8785f395787bcdee55c2b00d809e20c462b4962b886ff0b0342759ede63d4ed3ac6e3aba6ff95ef49a4306139a54dde407a9d80b97e667e0050655605a3

    • SSDEEP

      6144:cxIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUSCnDU:cxIXsgtvm1De5YlOx6lzBH46Ut4

    Score
    10/10
    evasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks