General

  • Target

    623dab7292ef98451a51578fa7cc68dc

  • Size

    268KB

  • Sample

    240117-kwh5eschg2

  • MD5

    623dab7292ef98451a51578fa7cc68dc

  • SHA1

    60bdf860b5c918d378a43c7ec041510aa263c675

  • SHA256

    35fc5b61657865db8b53adf2015368f6c15cf3ed2dd0229582ba61c9e0ab3cc7

  • SHA512

    d7101fbac0b45b27323b32cefbead04e7914cc538ee447e49da05ed96c3eb417833fa3168a20db25a9e9078ca8f941bea91484f950b7af2a2bf712e5770dbdf6

  • SSDEEP

    3072:SpbRtLU0BtEfvOKpXMsA1J5pJju8dXHVcoFqm12B:Spb3OPGl1J5ri8d3Kf22

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      623dab7292ef98451a51578fa7cc68dc

    • Size

      268KB

    • MD5

      623dab7292ef98451a51578fa7cc68dc

    • SHA1

      60bdf860b5c918d378a43c7ec041510aa263c675

    • SHA256

      35fc5b61657865db8b53adf2015368f6c15cf3ed2dd0229582ba61c9e0ab3cc7

    • SHA512

      d7101fbac0b45b27323b32cefbead04e7914cc538ee447e49da05ed96c3eb417833fa3168a20db25a9e9078ca8f941bea91484f950b7af2a2bf712e5770dbdf6

    • SSDEEP

      3072:SpbRtLU0BtEfvOKpXMsA1J5pJju8dXHVcoFqm12B:Spb3OPGl1J5ri8d3Kf22

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks