General

  • Target

    tmp

  • Size

    4MB

  • Sample

    230119-fkxffscb5s

  • MD5

    e2c876ff5b1f24b59d928e595234cdef

  • SHA1

    82d06b09b2a8c514929aab293242d4796d4ee39f

  • SHA256

    e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244

  • SHA512

    9562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd

  • SSDEEP

    98304:ZXMmA6BgrvHq3uwG/9SopFAVrSkgAm2K2fklNvpJtpqCutXE:ZXb0TwmFzQ5PK2fklNvpJyCut

Malware Config

Targets

    • Target

      tmp

    • Size

      4MB

    • MD5

      e2c876ff5b1f24b59d928e595234cdef

    • SHA1

      82d06b09b2a8c514929aab293242d4796d4ee39f

    • SHA256

      e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244

    • SHA512

      9562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd

    • SSDEEP

      98304:ZXMmA6BgrvHq3uwG/9SopFAVrSkgAm2K2fklNvpJtpqCutXE:ZXb0TwmFzQ5PK2fklNvpJyCut

    • Modifies security service

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

    • Stops running service(s)

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Modifies file permissions

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks