General
-
Target
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c
-
Size
2.5MB
-
Sample
240312-flw63sha9v
-
MD5
e49ba2b2c27a164cf3b652069fc984c2
-
SHA1
1a6c7d91286220e2c28a665f85633825ef578e95
-
SHA256
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c
-
SHA512
2c4336dc6e062483753d760c339fb4bd7e6e06dfc5b9b25d4b05885414a9b7a5b9c62931558c31f1f398862c111ad35c6389c1ee3af15af2d2cbc3db85ecc670
-
SSDEEP
49152:+L2K7HrOi1eIhFwRncwD0FnPYAEhd/KOw8QwsJM60lQYJnn3Ect76:wd7Hrhh2RcYonAJ6BM667nnRt
Static task
static1
Behavioral task
behavioral1
Sample
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\_READ_THIS_FILE_99PY4A_.txt
http://p27dokhpz2n7nvgr.onion/09FD-833B-CA5B-0091-B851
http://p27dokhpz2n7nvgr.1hkjl3.top/09FD-833B-CA5B-0091-B851
http://p27dokhpz2n7nvgr.16nxpn.top/09FD-833B-CA5B-0091-B851
http://p27dokhpz2n7nvgr.133chr.top/09FD-833B-CA5B-0091-B851
http://p27dokhpz2n7nvgr.17gvad.top/09FD-833B-CA5B-0091-B851
http://p27dokhpz2n7nvgr.15yvce.top/09FD-833B-CA5B-0091-B851
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THIS_FILE_CG8XMGC_.hta
cerber
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_IUO71_.txt
http://p27dokhpz2n7nvgr.onion/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.1hkjl3.top/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.16nxpn.top/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.133chr.top/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.17gvad.top/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.15yvce.top/817D-34A8-6A64-0091-BDCF
Targets
-
-
Target
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c
-
Size
2.5MB
-
MD5
e49ba2b2c27a164cf3b652069fc984c2
-
SHA1
1a6c7d91286220e2c28a665f85633825ef578e95
-
SHA256
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c
-
SHA512
2c4336dc6e062483753d760c339fb4bd7e6e06dfc5b9b25d4b05885414a9b7a5b9c62931558c31f1f398862c111ad35c6389c1ee3af15af2d2cbc3db85ecc670
-
SSDEEP
49152:+L2K7HrOi1eIhFwRncwD0FnPYAEhd/KOw8QwsJM60lQYJnn3Ect76:wd7Hrhh2RcYonAJ6BM667nnRt
Score10/10-
Blocklisted process makes network request
-
Contacts a large (1094) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1