72aef4d4f2fe2f4efdd52202964e7ecf6ec9f3e9ca95c8ca27ac571c4405fd9a | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Ogtnuzcwp.exe
Size

191.5MB
Sample

221231-wd8sxaab43
MD5

b7942b563ef73b7df7f0abce7fc7290b
SHA1

339d4ef4a46aefc0aec231b5bbacd4cdb788706e
SHA256

72aef4d4f2fe2f4efdd52202964e7ecf6ec9f3e9ca95c8ca27ac571c4405fd9a
SHA512

4f8f892b19a9b457e97cf2cd5033188d68516d78eef61377e7df75290e9dc28f3e4d7780cc0e901ca80e55a5f293b3ffa279ed56997c1b376df8ccefed882ec5
SSDEEP

49152:BkQTA+pPOabdz+k/sYjI8IKJY/MNQqQUl1:BaPabdz+k/ELKJcsv

Score

10^/10

evasion persistence trojan

Malware Config

Targets

- Target
  
  Ogtnuzcwp.exe
- Size
  
  191.5MB
- MD5
  
  b7942b563ef73b7df7f0abce7fc7290b
- SHA1
  
  339d4ef4a46aefc0aec231b5bbacd4cdb788706e
- SHA256
  
  72aef4d4f2fe2f4efdd52202964e7ecf6ec9f3e9ca95c8ca27ac571c4405fd9a
- SHA512
  
  4f8f892b19a9b457e97cf2cd5033188d68516d78eef61377e7df75290e9dc28f3e4d7780cc0e901ca80e55a5f293b3ffa279ed56997c1b376df8ccefed882ec5
- SSDEEP
  
  49152:BkQTA+pPOabdz+k/sYjI8IKJY/MNQqQUl1:BaPabdz+k/ELKJcsv
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan