General
-
Target
00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498
-
Size
704KB
-
Sample
231114-xmxbxadg52
-
MD5
e5327fbbe6865c0f708e259a353512cf
-
SHA1
59592253d190506b9d34f23f779653857a1e0800
-
SHA256
00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498
-
SHA512
79c55503d715c070620fddbf582fbb8a5a1b2ae0dc4b033504a3c2817879fab6eddceda35a1a5582cfbaa9c35002f668a90134f371b5d3796f1a776baef11dd7
-
SSDEEP
12288:VXgvmzFHi0mo5aH0qMzd5807F9PJQPDHvd:VXgvOHi0mGaH0qSdPFv4V
Malware Config
Targets
-
-
Target
00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498
-
Size
704KB
-
MD5
e5327fbbe6865c0f708e259a353512cf
-
SHA1
59592253d190506b9d34f23f779653857a1e0800
-
SHA256
00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498
-
SHA512
79c55503d715c070620fddbf582fbb8a5a1b2ae0dc4b033504a3c2817879fab6eddceda35a1a5582cfbaa9c35002f668a90134f371b5d3796f1a776baef11dd7
-
SSDEEP
12288:VXgvmzFHi0mo5aH0qMzd5807F9PJQPDHvd:VXgvOHi0mGaH0qSdPFv4V
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Adds policy Run key to start application
-
Disables RegEdit via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1