General
-
Target
wwwramajudicialgovcoproceso000000700940300540.LHA
-
Size
737KB
-
Sample
240125-sxht2shgd4
-
MD5
6c95a8dd2fbe75959cc88cb4bef93f5e
-
SHA1
1ecf5995789f58687ce477118521d2d72dcbeb54
-
SHA256
3770792a40acb10bd5eefeaf0400f044f0e4b38f21bf339789e9a05f8b5fb358
-
SHA512
adfebe35ba987fcebdc92caec1934901d59e72cde08ccc4ccaf480a54666219dd126b94c5dfbd0bfd69f203952f4ae41391f26b5fb77b7ddf38f113f1e56ab32
-
SSDEEP
12288:PodUTTv301b1plIHUbb8NxuvKG7ZDd5IuUxg8AsUzgSgM4P+tbAtLyXbKH:xTv30/9OsSG7ZxOVUz235xH
Static task
static1
Behavioral task
behavioral1
Sample
wwwramajudicialgovcoproceso000000700940300540.exe
Resource
win7-20231215-en
Malware Config
Targets
-
-
Target
wwwramajudicialgovcoproceso000000700940300540.exe
-
Size
786KB
-
MD5
86b6376b986d74f2391da19a18ec2f22
-
SHA1
6e71c1cd1ee49d21ccfbbe635415c46198270caf
-
SHA256
fb1ff068b0e9bf403835b2087e476f00dd57d3d9e670f09351fac465374004d7
-
SHA512
6512c64c9eb46246b2998dca2e02c43bde6edb087104d16682f1cf4ae2be6c5f2ad2f0b99f17eb4ef894ad72249976f6ee0b2007785d6945191b8f70a326ab99
-
SSDEEP
24576:UMvhZRJsVhqaDVDS4CS+8GX26nGfUJVX2W:zQ/qaDVGrS3GXlnGmX2
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies security service
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1