General
-
Target
19500c08819c8dded95f7d84fd1e70ad
-
Size
2.3MB
-
Sample
231230-p9d5vafee4
-
MD5
19500c08819c8dded95f7d84fd1e70ad
-
SHA1
3e994a39c2ded870a13a11f685ae605a6217d51c
-
SHA256
522cbea96c68debe4a53241120c1d1ee97aa13581becf02ac90cfb05ffc185b0
-
SHA512
f8e6a023e77bc1ba0e9942ebe91429ec6217b76d6ef43bfb18013ffd4e25478f351faeeb88da96a04d290450e533f151805e6781799a2d1fdc8134583d5c6966
-
SSDEEP
49152:sJs41sGD6Aer5sJy/Hl6OvJUczjRO4Ye47YfW5I5GWMo/4aNNpbndFl4Ad:qs86AeVbzvJUczjfBGeF/4aNNpJF2Ad
Malware Config
Extracted
http://78.26.187.108/soft-usage/favicon.ico?0=1200&1=CALKHSYM&2=i-s&3=72&4=7601&5=6&6=1&7=99600&8=1033
Extracted
http://78.26.187.108/soft-usage/favicon.ico?0=1200&1=TSBKFJQM&2=i-s&3=72&4=9200&5=6&6=2&7=919041&8=1033
Targets
-
-
Target
19500c08819c8dded95f7d84fd1e70ad
-
Size
2.3MB
-
MD5
19500c08819c8dded95f7d84fd1e70ad
-
SHA1
3e994a39c2ded870a13a11f685ae605a6217d51c
-
SHA256
522cbea96c68debe4a53241120c1d1ee97aa13581becf02ac90cfb05ffc185b0
-
SHA512
f8e6a023e77bc1ba0e9942ebe91429ec6217b76d6ef43bfb18013ffd4e25478f351faeeb88da96a04d290450e533f151805e6781799a2d1fdc8134583d5c6966
-
SSDEEP
49152:sJs41sGD6Aer5sJy/Hl6OvJUczjRO4Ye47YfW5I5GWMo/4aNNpbndFl4Ad:qs86AeVbzvJUczjfBGeF/4aNNpJF2Ad
Score10/10-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Sets file execution options in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1