General

  • Target

    9643a7d366552a33c9d82d6af8b2522d

  • Size

    2.8MB

  • Sample

    240212-e8sxhaad51

  • MD5

    9643a7d366552a33c9d82d6af8b2522d

  • SHA1

    188b6f2f40971d6b65246141d60e0aa33d6806b3

  • SHA256

    fa26c0369d7e663f6f8cc322999531818abbf3de5bcaf2dbc30851a5463923d9

  • SHA512

    e4b64ef5211f9824b31a0fbd22f186cf9773e8135924cbda0cd98de820c79cf54bdae6ec03c3ec71679e8379c4f3ff94f6bab7a8128143b1bf4fce8934579a16

  • SSDEEP

    49152:67N1ahCc0V7N1ahCLh0V7N1ahCE0V7N1ahCo0:67J7I7x7

Malware Config

Targets

    • Target

      9643a7d366552a33c9d82d6af8b2522d

    • Size

      2.8MB

    • MD5

      9643a7d366552a33c9d82d6af8b2522d

    • SHA1

      188b6f2f40971d6b65246141d60e0aa33d6806b3

    • SHA256

      fa26c0369d7e663f6f8cc322999531818abbf3de5bcaf2dbc30851a5463923d9

    • SHA512

      e4b64ef5211f9824b31a0fbd22f186cf9773e8135924cbda0cd98de820c79cf54bdae6ec03c3ec71679e8379c4f3ff94f6bab7a8128143b1bf4fce8934579a16

    • SSDEEP

      49152:67N1ahCc0V7N1ahCLh0V7N1ahCE0V7N1ahCo0:67J7I7x7

    • FakeAV, RogueAntivirus

      FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.

    • FakeAV payload

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks