General

  • Target

    538659b84deb9934dd818af39fb89f4a.exe

  • Size

    10.8MB

  • Sample

    240111-y6bd8afhbp

  • MD5

    538659b84deb9934dd818af39fb89f4a

  • SHA1

    40fab316b3226d3838b9d32bd3daf39ed29a8a3f

  • SHA256

    978f6ce37ffb48155a487d1e73249d35e30b00c1e635b2cc66c9e5074be5324b

  • SHA512

    ff9759f64aede0f855f3e4f0c737cb86c03121aa2d9ec8f4b5b734972cbaa4af04529dc82201c2542ab88386586a771dcd4e2ca75240648d53731974e20d3a24

  • SSDEEP

    98304:67X7i7G7M7o7R37B757T7I7N787r7o7H7H:QLYMyORrtFnuJCfObH

Malware Config

Targets

    • Target

      538659b84deb9934dd818af39fb89f4a.exe

    • Size

      10.8MB

    • MD5

      538659b84deb9934dd818af39fb89f4a

    • SHA1

      40fab316b3226d3838b9d32bd3daf39ed29a8a3f

    • SHA256

      978f6ce37ffb48155a487d1e73249d35e30b00c1e635b2cc66c9e5074be5324b

    • SHA512

      ff9759f64aede0f855f3e4f0c737cb86c03121aa2d9ec8f4b5b734972cbaa4af04529dc82201c2542ab88386586a771dcd4e2ca75240648d53731974e20d3a24

    • SSDEEP

      98304:67X7i7G7M7o7R37B757T7I7N787r7o7H7H:QLYMyORrtFnuJCfObH

    • FakeAV, RogueAntivirus

      FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.

    • FakeAV payload

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks