General
-
Target
bb002e1426ab741ae4afd3b8a928a19587d675c81a0a38cb3e62eb0e1fc127bc
-
Size
11.7MB
-
Sample
231114-xxw4wseh75
-
MD5
3836e490f557c024564eef358998d5f9
-
SHA1
5568dfba54215623cfb3d8d4700aeaa38123c1e8
-
SHA256
bb002e1426ab741ae4afd3b8a928a19587d675c81a0a38cb3e62eb0e1fc127bc
-
SHA512
da09470070164f662abc765d6c0b06f48889e502fe5a379b1c10c60db3ec1e5d87a74aceb920ca999e07108b549421707a35fb1508a034dfea1bbcd5ca1bb400
-
SSDEEP
6144:z1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKq1QFHgTVlY86JQPDHDdx/Qtqa:kOkiCpat4FU6JXKqCZgVlYPJQPDHvd
Malware Config
Targets
-
-
Target
bb002e1426ab741ae4afd3b8a928a19587d675c81a0a38cb3e62eb0e1fc127bc
-
Size
11.7MB
-
MD5
3836e490f557c024564eef358998d5f9
-
SHA1
5568dfba54215623cfb3d8d4700aeaa38123c1e8
-
SHA256
bb002e1426ab741ae4afd3b8a928a19587d675c81a0a38cb3e62eb0e1fc127bc
-
SHA512
da09470070164f662abc765d6c0b06f48889e502fe5a379b1c10c60db3ec1e5d87a74aceb920ca999e07108b549421707a35fb1508a034dfea1bbcd5ca1bb400
-
SSDEEP
6144:z1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKq1QFHgTVlY86JQPDHDdx/Qtqa:kOkiCpat4FU6JXKqCZgVlYPJQPDHvd
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Adds policy Run key to start application
-
Disables RegEdit via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1