Overview

overview

10

Static

static

a5c959fb4a...f2.exe

windows7-x64

10

a5c959fb4a...f2.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

  • Size

    488KB

  • Sample

    221205-n2219sbg4t

  • MD5

    7ffd687e3046eba7d819628442e83fa3

  • SHA1

    819ab64fe969ee3d37ecf205875f4d686af9a34b

  • SHA256

    a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

  • SHA512

    5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

  • SSDEEP

    12288:x6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgB:SvdezCByqTtlMQsFuqzRbzI7IE

Score
10/10
evasionpersistencetrojan

Malware Config

Targets

    • Target

      a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

    • Size

      488KB

    • MD5

      7ffd687e3046eba7d819628442e83fa3

    • SHA1

      819ab64fe969ee3d37ecf205875f4d686af9a34b

    • SHA256

      a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

    • SHA512

      5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

    • SSDEEP

      12288:x6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgB:SvdezCByqTtlMQsFuqzRbzI7IE

    Score
    10/10
    evasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks