3461d0dafd691ca66a472ff1b3a786c506062766dce32c41eb4850103e810699 | Triage

Resubmissions

01-08-2023 13:22

230801-qmctyaga52 10

01-08-2023 13:15

230801-qhqj8sga32 10

Sharing

General

Target

PatchAP.23.x.exe
Size

1.7MB
Sample

230801-qhqj8sga32
MD5

5ce67938a175370ffd35be6aa0dca982
SHA1

2ad8efb5209461a3a8ba25871e8f85e565a92f12
SHA256

3461d0dafd691ca66a472ff1b3a786c506062766dce32c41eb4850103e810699
SHA512

104d04999a4425334e95e7ebab69f4f38d9bbffb0a900d6fdf61052629b291ba8ff1defd691ab1fbeba98c6f0bdfb70cc020237753ba2164b808cbba7c5a3f3e
SSDEEP

24576:EscgHM6TdCH1eASiL5yPSvUwdKKT6CgxUzF7v0FRrqvw07qIdIZiJWUkN3P/qPuW:5c2M6T0H0lPSvJ5WdCBsUwrIzJWrVdvU

Score

10^/10

evasion persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/cloud1cybertron/wincurl/raw/main/curl.exe

Targets

- Target
  
  PatchAP.23.x.exe
- Size
  
  1.7MB
- MD5
  
  5ce67938a175370ffd35be6aa0dca982
- SHA1
  
  2ad8efb5209461a3a8ba25871e8f85e565a92f12
- SHA256
  
  3461d0dafd691ca66a472ff1b3a786c506062766dce32c41eb4850103e810699
- SHA512
  
  104d04999a4425334e95e7ebab69f4f38d9bbffb0a900d6fdf61052629b291ba8ff1defd691ab1fbeba98c6f0bdfb70cc020237753ba2164b808cbba7c5a3f3e
- SSDEEP
  
  24576:EscgHM6TdCH1eASiL5yPSvUwdKKT6CgxUzF7v0FRrqvw07qIdIZiJWUkN3P/qPuW:5c2M6T0H0lPSvJ5WdCBsUwrIzJWrVdvU
Score

10^/10

evasion persistence upx
- Modifies WinLogon for persistence
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Process Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistenceupx