General
-
Target
http://80.66.75.37/a-Xgjsx.exe
-
Sample
230328-s11h9sbg77
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://80.66.75.37/a-Xgjsx.exe
Resource
win10-20230220-en
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\FILE RECOVERY.txt
mallox.resurrection@onionmail.org
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Targets
-
-
Target
http://80.66.75.37/a-Xgjsx.exe
Score10/10-
Clears Windows event logs
-
Downloads MZ/PE file
-
Stops running service(s)
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Indicator Removal on Host
1File Deletion
2Impair Defenses
1File Permissions Modification
1Modify Registry
2