900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f | Triage

Sharing

General

Target

900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f
Size

2.2MB
Sample

221205-pvs1fsec9w
MD5

44e75fcf7bffbb2d15574bd78abb663b
SHA1

43be4f349f05f5ba056961ee8bdc9e4e8c443a10
SHA256

900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f
SHA512

c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961
SSDEEP

49152:Tb+qOGFGc/y+BMsAuII26f0EQh6fVnOTk3DSpX4R9DKp52:Tb2ou+mZpI268EQsx3D2XNpw

Score

10^/10

evasion persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=VUIIVLGQ&2=i-s&3=135&4=7601&5=6&6=1&7=99600&8=1033

Extracted

Language

hta

Source

URLs

hta.dropper

http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=SOCAAGDT&2=i-s&3=135&4=9200&5=6&6=2&7=919041&8=1033

Targets

- Target
  
  900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f
- Size
  
  2.2MB
- MD5
  
  44e75fcf7bffbb2d15574bd78abb663b
- SHA1
  
  43be4f349f05f5ba056961ee8bdc9e4e8c443a10
- SHA256
  
  900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f
- SHA512
  
  c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961
- SSDEEP
  
  49152:Tb+qOGFGc/y+BMsAuII26f0EQh6fVnOTk3DSpX4R9DKp52:Tb2ou+mZpI268EQsx3D2XNpw
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

evasionpersistencetrojan