07d6b71653fafd84f5228e391ced68aa4a0a04405b20361033fcd119a3639d22 | Triage

Submit
Reports

Overview

overview

Static

static

.NET Frame...10.exe

windows7-x64

.NET Frame...10.exe

windows10-2004-x64

Sharing

General

Target

.NET Framework FIX WIN10.exe
Size

4.6MB
Sample

221209-1ned9see24
MD5

91182cc38b2dcadf8bbbaca3319d6c55
SHA1

ef9065fe80b54f2af060347995e584dc35b5f3b6
SHA256

07d6b71653fafd84f5228e391ced68aa4a0a04405b20361033fcd119a3639d22
SHA512

9b5eeb07a17a169f08c5de8789cc2c810af0dde579cb65739b8ac2c723348fe044e4d803ade4097ba510073c27c9b92d6e3a08a574c777a923ea9ef527fd30e5
SSDEEP

98304:ZMheos0UFj5H5ekbAa3CKz3pqR6fW+971MOIkCOW+FIpzFzKQ:ZyXM15nbAjKNqRT+dG6FW+khzL

Score

10^/10

discovery evasion exploit

Static task

static1

Behavioral task

behavioral1

Sample

.NET Framework FIX WIN10.exe

Resource

win7-20220812-en

discovery evasion exploit

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

.NET Framework FIX WIN10.exe

Resource

win10v2004-20220901-en

discovery evasion exploit

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  .NET Framework FIX WIN10.exe
- Size
  
  4.6MB
- MD5
  
  91182cc38b2dcadf8bbbaca3319d6c55
- SHA1
  
  ef9065fe80b54f2af060347995e584dc35b5f3b6
- SHA256
  
  07d6b71653fafd84f5228e391ced68aa4a0a04405b20361033fcd119a3639d22
- SHA512
  
  9b5eeb07a17a169f08c5de8789cc2c810af0dde579cb65739b8ac2c723348fe044e4d803ade4097ba510073c27c9b92d6e3a08a574c777a923ea9ef527fd30e5
- SSDEEP
  
  98304:ZMheos0UFj5H5ekbAa3CKz3pqR6fW+971MOIkCOW+FIpzFzKQ:ZyXM15nbAjKNqRT+dG6FW+khzL
Score

10^/10

discovery evasion exploit
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

discoveryevasionexploit

behavioral2

discoveryevasionexploit

© 2018-2024

Terms | Privacy