Overview

overview

9

Static

static

1

50889d715d...b5.exe

windows7-x64

8

50889d715d...b5.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    50889d715db9b791213d5551ad9035eead1d7d835464443cdcfffe2ea2c734b5

  • Size

    1.9MB

  • Sample

    230404-l4wwxsga7s

  • MD5

    30dfabdca03a1a7a1745564186e79cc3

  • SHA1

    15085aa404e4f04c6a1c57aca549406f7589faef

  • SHA256

    50889d715db9b791213d5551ad9035eead1d7d835464443cdcfffe2ea2c734b5

  • SHA512

    c4a7d5fcc0bfad7c4aee5b56fa8d4c3dab651f1807b65f9a7ace946d674bc099b34e339596f59e7cdbef6d8732f76f7f8fd0f58b2b97460b79c4ef5ae5749a17

  • SSDEEP

    49152:34BQ3BcWYJOhnuiQae5ruEww216k4xIU3/gOyiUMB8:34BQ3BcLOhnuiQaeJBgFJm/gOyiUMB8

Score
9/10
bootkitdiscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Targets

    • Target

      50889d715db9b791213d5551ad9035eead1d7d835464443cdcfffe2ea2c734b5

    • Size

      1.9MB

    • MD5

      30dfabdca03a1a7a1745564186e79cc3

    • SHA1

      15085aa404e4f04c6a1c57aca549406f7589faef

    • SHA256

      50889d715db9b791213d5551ad9035eead1d7d835464443cdcfffe2ea2c734b5

    • SHA512

      c4a7d5fcc0bfad7c4aee5b56fa8d4c3dab651f1807b65f9a7ace946d674bc099b34e339596f59e7cdbef6d8732f76f7f8fd0f58b2b97460b79c4ef5ae5749a17

    • SSDEEP

      49152:34BQ3BcWYJOhnuiQae5ruEww216k4xIU3/gOyiUMB8:34BQ3BcLOhnuiQaeJBgFJm/gOyiUMB8

    Score
    9/10
    bootkitdiscoveryevasionpersistencetrojanupxspywarestealer

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Sets file execution options in registry

      persistence

    • Sets service image path in registry

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks