Overview

overview

10

Static

static

1

WIN_202309...ro.jpg

windows10-2004-x64

Resubmissions

09/10/2023, 23:32

231009-3jce8abb24 10

09/10/2023, 23:25

231009-3ef8lsha7x 8

09/10/2023, 23:21

231009-3cfjasba86 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    WIN_20230904_22_44_24_Pro.jpg

  • Size

    240KB

  • Sample

    231009-3jce8abb24

  • MD5

    2a34ccca435ec5f7fe7d3aa0994c43bb

  • SHA1

    957a8d917e9f795089dbc8ec95906530ba4b6ba1

  • SHA256

    a5a99b75b4cfbf2ee2fa04e09d3b4714e4710d5edde4d4807b9a15449ee3199b

  • SHA512

    7997510647b4d1999733f5af7b314f60f3dea09f970898e251754e72c8bbc18ecf5780ab1fecd4b19442d136f9a0943a95024385d60d42b1585ec46a6137545a

  • SSDEEP

    6144:cgwkJICGdV/WpuY9e5GtcYeAHsb//C7FciH:cgnJICGdV/Oe5Ge1sciH

Score
10/10
agilenetevasionpersistencetrojanupx

Malware Config

Targets

    • Target

      WIN_20230904_22_44_24_Pro.jpg

    • Size

      240KB

    • MD5

      2a34ccca435ec5f7fe7d3aa0994c43bb

    • SHA1

      957a8d917e9f795089dbc8ec95906530ba4b6ba1

    • SHA256

      a5a99b75b4cfbf2ee2fa04e09d3b4714e4710d5edde4d4807b9a15449ee3199b

    • SHA512

      7997510647b4d1999733f5af7b314f60f3dea09f970898e251754e72c8bbc18ecf5780ab1fecd4b19442d136f9a0943a95024385d60d42b1585ec46a6137545a

    • SSDEEP

      6144:cgwkJICGdV/WpuY9e5GtcYeAHsb//C7FciH:cgnJICGdV/Oe5Ge1sciH

    Score
    10/10
    agilenetevasionpersistencetrojanupx

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks