Overview

overview

10

Static

static

3

08122023_0...f .exe

windows7-x64

7

08122023_0...f .exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    08122023_0121_CooperativeProject_Details.pdf .exe

  • Size

    470KB

  • Sample

    231207-vw2a4seb25

  • MD5

    d6a6b2a90f67d6d1a59fdb7699ee18ee

  • SHA1

    b65b2889a588cade6afcb7addab3b1c8b9cb51f7

  • SHA256

    7479eac971f4ab87c476ec9417b2c29b99a4e06c9c3a3af8cd650506a49168c8

  • SHA512

    1a707a9ed976738fd79f5d9c9b1db90ddc5f6ec3b5cf227962d2bccaa98e2e373365f1399ec13a98f6a86ff21de9fb16460c6dde2bd2677be7401adeb2837090

  • SSDEEP

    6144:i8nENsjJUZHOHT9q3Yc5qh6/LkF8puww:UNsjJUZHOHIYc56mLkF8R

Score
10/10
evasiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1ogbCiwBaVXPjDHhV0GcZx3l_HoU1dbid

Targets

    • Target

      08122023_0121_CooperativeProject_Details.pdf .exe

    • Size

      470KB

    • MD5

      d6a6b2a90f67d6d1a59fdb7699ee18ee

    • SHA1

      b65b2889a588cade6afcb7addab3b1c8b9cb51f7

    • SHA256

      7479eac971f4ab87c476ec9417b2c29b99a4e06c9c3a3af8cd650506a49168c8

    • SHA512

      1a707a9ed976738fd79f5d9c9b1db90ddc5f6ec3b5cf227962d2bccaa98e2e373365f1399ec13a98f6a86ff21de9fb16460c6dde2bd2677be7401adeb2837090

    • SSDEEP

      6144:i8nENsjJUZHOHT9q3Yc5qh6/LkF8puww:UNsjJUZHOHIYc56mLkF8R

    Score
    10/10
    evasiontrojan

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks