General
-
Target
tripwire.rbxm
-
Size
5KB
-
Sample
240220-z3s1jafe75
-
MD5
b1e6020337331c2046f8213af96d1d8e
-
SHA1
b8e64badac642ebfef596073db888a83494f4f60
-
SHA256
78ca2022958c79fc09a3e66c9a565d0a3426fb9b98e631f89e72cfd6b01a6755
-
SHA512
12247cbf7dc92d015da6b0b70336110c35c671e3634b94e9cd21c4c0af164586760cf12ae8da779d8f8305048609660d6cb702125e3ab42f03ca1954fce7a2d9
-
SSDEEP
96:A6rsd2hvbSAPPM8KXYgTIdUp25LNFBUHg:Assd2hDSmUZYgkpVxr
Static task
static1
Behavioral task
behavioral1
Sample
tripwire.rbxm
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___TVT9V7G_.txt
cerber
http://xpcx6erilkjced3j.onion/1BD6-83F4-21B2-0098-B607
http://xpcx6erilkjced3j.1n5mod.top/1BD6-83F4-21B2-0098-B607
http://xpcx6erilkjced3j.19kdeh.top/1BD6-83F4-21B2-0098-B607
http://xpcx6erilkjced3j.1mpsnr.top/1BD6-83F4-21B2-0098-B607
http://xpcx6erilkjced3j.18ey8e.top/1BD6-83F4-21B2-0098-B607
http://xpcx6erilkjced3j.17gcun.top/1BD6-83F4-21B2-0098-B607
Targets
-
-
Target
tripwire.rbxm
-
Size
5KB
-
MD5
b1e6020337331c2046f8213af96d1d8e
-
SHA1
b8e64badac642ebfef596073db888a83494f4f60
-
SHA256
78ca2022958c79fc09a3e66c9a565d0a3426fb9b98e631f89e72cfd6b01a6755
-
SHA512
12247cbf7dc92d015da6b0b70336110c35c671e3634b94e9cd21c4c0af164586760cf12ae8da779d8f8305048609660d6cb702125e3ab42f03ca1954fce7a2d9
-
SSDEEP
96:A6rsd2hvbSAPPM8KXYgTIdUp25LNFBUHg:Assd2hDSmUZYgkpVxr
Score10/10-
Contacts a large (1122) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-