Overview

overview

10

Static

static

1

BL#ACU2401... .js

windows7-x64

7

BL#ACU2401... .js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17012024_2140_FedEX Shipment Arrival Notification AWB Number 00117980920.img

  • Size

    1.9MB

  • Sample

    240117-qyrggagbfm

  • MD5

    c81ea996bbc868c8f79bddfec412fc58

  • SHA1

    f64efda79d221af24b9dd1a9ddbbd874c680e979

  • SHA256

    c32ca257ee0c260e7dfa276c8756ca9a50ea347de5e8b1b858dd5de0f85d763c

  • SHA512

    108b5328dbe8f7a679b59d27195db031200c152f4adc59d3f0cc1113972d0c332adbdd55c53c8c10ec8b20168bcf8c1d0b3681c28c0ac4baa27c2c66abf3f5cb

  • SSDEEP

    192:zmmyxRQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHm:pfYz

Score
10/10
evasionpersistencetrojan

Malware Config

Targets

    • Target

      BL#ACU240141 & Doc#HLCUBKK240124139.pdf .js

    • Size

      1.4MB

    • MD5

      286d534eb759c671fa9e79cfafd3bc85

    • SHA1

      d165938c1c607618c5cb6d9d11cf5b371f007ac7

    • SHA256

      77109ba56a5e70fafe88a10800764ec30d35727c1ff8cdb2934534ae8c7e048b

    • SHA512

      3b1ee1a647b623265ad7e90d786e61cafe6ca5e312676dafcc198763cf8efe3f479fb66b4aae9d1e7289ec5433055ab193ffd91abefc732e3d337d4fe987119b

    • SSDEEP

      192:FQzfvQzrHHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHH3HHHHHHnHHHHHHf:efYzD

    Score
    10/10
    evasionpersistencetrojan

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks