Overview

overview

8

Static

static

7

1.bat

windows10-2004-x64

8

2.bat

windows10-2004-x64

1

3.bat

windows10-2004-x64

1

exe/ntregopt.exe

windows10-2004-x64

exe/reshacker.exe

windows10-2004-x64

7

exe/upx.exe

windows10-2004-x64

7

reg.bat

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SlimWin.7z

  • Size

    670KB

  • Sample

    231113-w56smafa26

  • MD5

    436631a4f4e47511ee280d9ba7715d5f

  • SHA1

    ec720e846000525712a9d4ae504bd645a326d6a7

  • SHA256

    c69d2404e2a9612e85dea8564bc995db41962603d4ea1530883cfa0f8e7b2a2f

  • SHA512

    3c6309e1e568fed93ddb0e1643056b01c6aaf1abf4375ef62ef2b8e67b299dd51ba10f9fa15069145f19403fb4c3937bc5cbc37e19cabcba0135d376c386a480

  • SSDEEP

    12288:B7oNDD8W8+DcGCKJWclOws4X1iZ9pYcKt3tX8oezk/tSgIlWF:hqD8ADEjHK4ZYBt3985kFjh

Score
8/10
evasionpersistencespywarestealerupx

Malware Config

Targets

    • Target

      1.bat

    • Size

      3KB

    • MD5

      9b1455a685a27c8a4f32d18949f69ad3

    • SHA1

      6dc1bb5d2564b74d7c17825a8cb26b5b1cd073d7

    • SHA256

      1a95ba631ec9a32c9e67492360ca5efb7f5018e9187058591dd0275dc09054ee

    • SHA512

      6236d61a9da80622dd73cdfe25690a0dbd979e0bcd1a1d80c2e4f13afddc0e20ddb70ef7dc6ff6cb39d93f4cdae7acc4aa8897918590a2e68d980e52ddcd4d29

    Score
    8/10
    evasionpersistencespywarestealer

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

    behavioral1

    • Target

      2.bat

    • Size

      7KB

    • MD5

      6309aac4ef0c0b950132b1dbc1c12cef

    • SHA1

      f10ec525b9dbb1acf24b11e4abee8eea9dd89e87

    • SHA256

      2b333eab32ac752d39a66b3363c720e95648ac717710cb25b22cc8f773dd5c89

    • SHA512

      87ad787ea880eb65ab5770d7bda7d0db9a30aa9f1eb40735f5079337c3aae16bea2d0f5a0f8ece4addfd4c91aa1bc04ae028a8168e22fe7a140729a5e3139815

    • SSDEEP

      96:3haETwB97sWfad9dmqP3pW59fQAMtuua0OKO7MyvBb2WtBOtKetivObnQiJ:3wBiWyd9RY5Wts0OKO4yvRtAwetCO3

    Score
    1/10
    behavioral2

    • Target

      3.bat

    • Size

      124B

    • MD5

      6235b84b18ce0c6259d6ed1a3877556f

    • SHA1

      759b666ff21ce6fd94fdc8a789d37b40a35dc490

    • SHA256

      9ebaf9755c102ec8e25f347106d5112e3bafe27a1f49e494c6182d3b4deb5ac2

    • SHA512

      f1816d91f386d9cf34a16b76c6cbbf45365ab9cdc24d168920e4603bfab25fb5900f09908803790b885a1d3985f7aa5eebb0eda4de80dc23b4b1ac926608aee3

    Score
    1/10
    behavioral3

    • Target

      exe/ntregopt.exe

    • Size

      128KB

    • MD5

      2165b82e4817a4752dfd3e71fe5953df

    • SHA1

      c3ddfb9ba93194ed1c6743f61f63f1ef3753feff

    • SHA256

      95652293f6016e8bb626e8143cc118b73c7790033522278831606c0b81760e49

    • SHA512

      7db14d5143bcca9ff68a14c4e7aae8794981a198be1a29279fb2ff96f292f20e5eb0887b902eefc937c5bdc19f889847b393be6a43de8163521772c576f59683

    • SSDEEP

      3072:QvnysXeJxVSOb5Lp0Jv3rPn/lgXKJ0whl7x4Fo4X:QvXp17P9gXKJxMRX

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    behavioral4

    • Target

      exe/reshacker.exe

    • Size

      284KB

    • MD5

      ad067a1c9c906112e1e6268488654818

    • SHA1

      0f529cc473b744c26d7351df633bc9951faec800

    • SHA256

      0f7fb31f90fa902a832ee74df34a4f9a6895d2bc04d17c98008315c0b4797c72

    • SHA512

      6c0b900242e527f26032d60bbd592866fdeead7b4403747b68b6e84688faab41983e99d5b34cf0c2a978a5c09ed5ae0769b0d4613b27df886e65c439fe24a27e

    • SSDEEP

      6144:wF7QPx2gJzC4nNNNK1wqEswUKeBI32mqGum2s4HLa:WDCCUMmcwUKe+Goum2R

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5

    • Target

      exe/upx.exe

    • Size

      265KB

    • MD5

      bf1b3a4559e250e0fad9d7c138020982

    • SHA1

      11520e7042a4950674179f965030daa2e27705ee

    • SHA256

      aab1c02a436a5293026362a3b31127bd695740267093f6814b9e61f9142e2da6

    • SHA512

      2ffc6d87483977c32ea6c013315006a69a9678088b2fa069580ffdec0d80553b269672320753bce96b4afef98b5531fcb87ada131b8188c1604370b419512ea7

    • SSDEEP

      6144:zZF6unwNh9ooHxWUE0VgzO9NYn86eaMfeICQf7HhoS:tFBwhN3VEkNw5MG5KVoS

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral6

    • Target

      reg.bat

    • Size

      4KB

    • MD5

      2329da61fff0c2a03feb6892d8672f20

    • SHA1

      fb3c252a80727fe051c3d4ff822a62519b965e20

    • SHA256

      c0d5406ec03324dcb171272a0671d4da87f3d9df2533a0f78bbc2354762d1833

    • SHA512

      6f3b1babab9015ff2fef194ed20428398091eb8459e3474c0fc77e99419e7f9c38d70de8258e527b2bae87d617605c380d2004dfa693602930de182ba89d356f

    • SSDEEP

      48:6Zh8+K0xVjZhEssb8/IecfE13O4lRooptoE9HD5gjDKnE22Qo0L0wB9F8Vevd4lp:6D8+K0xRRp5lSopmE9HVij0LzlvKHklo

    Score
    1/10
    behavioral7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks