Overview

overview

8

Static

static

1

video (1).webm

windows10-1703-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    video (1).webm

  • Size

    15.1MB

  • Sample

    240203-zsfbpacebj

  • MD5

    87cd983fff8a16292a052e28cffde293

  • SHA1

    f0dad32c35915372e3c3d9f82353ff6a85b97c79

  • SHA256

    2851c16559111ead01b2c8f2b2733518ffdc58695fddbac70a0191c96cad622f

  • SHA512

    e8ae9fcba4e4d5bb39822cda47fec08fc156a7cc4c121f4033c6b556128b0bf6ad95264605c6f9cc11a282c62d286301a5af37f4c991c4783e78aef7d56d1e14

  • SSDEEP

    393216:KHwBkckuy2iLcbgmiTSdDz+zzPOHQKtITojmL8M6:swOb2iL5miTSdz+XSQKWSe8n

Score
8/10
discoveryevasionpersistencespywarestealer

Malware Config

Targets

    • Target

      video (1).webm

    • Size

      15.1MB

    • MD5

      87cd983fff8a16292a052e28cffde293

    • SHA1

      f0dad32c35915372e3c3d9f82353ff6a85b97c79

    • SHA256

      2851c16559111ead01b2c8f2b2733518ffdc58695fddbac70a0191c96cad622f

    • SHA512

      e8ae9fcba4e4d5bb39822cda47fec08fc156a7cc4c121f4033c6b556128b0bf6ad95264605c6f9cc11a282c62d286301a5af37f4c991c4783e78aef7d56d1e14

    • SSDEEP

      393216:KHwBkckuy2iLcbgmiTSdDz+zzPOHQKtITojmL8M6:swOb2iL5miTSdz+XSQKWSe8n

    Score
    8/10
    discoveryevasionpersistencespywarestealer

    • Downloads MZ/PE file

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Modifies Installed Components in the registry

      persistence

    • Sets file execution options in registry

      persistence

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks