General
-
Target
http://80.66.75.37/a-Xgjsx.exe
-
Sample
230328-s11h9sbg77
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://80.66.75.37/a-Xgjsx.exe
Resource
win10-20230220-en
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\FILE RECOVERY.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Targets
-
-
Target
http://80.66.75.37/a-Xgjsx.exe
Score10/10-
Clears Windows event logs
-
Downloads MZ/PE file
-
Stops running service(s)
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Impair Defenses
1Indicator Removal on Host
1Modify Registry
2