General
-
Target
0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed
-
Size
236KB
-
Sample
240312-rbrpdsad6s
-
MD5
b81165ab0938e84fa87efefe0e2c0030
-
SHA1
9e33c952c6a0e14162c0de07eabc7d64e7f5b272
-
SHA256
0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed
-
SHA512
93805f5191a75cae4360ad41ec705bc1b6120db6f94c755016f6a9fecff02562ecbf95ee4e466149cefc7133289be04cd531954e311f38694a32b12b84db9932
-
SSDEEP
6144:KZtaw1henWCopyU0wKxbVKNaquP4V1+v1jnef:gHyVU0wKlVK0q9V141Cf
Behavioral task
behavioral1
Sample
0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\_READ_THIS_FILE_IQ13G_.txt
http://p27dokhpz2n7nvgr.onion/7435-9474-BA2D-0091-BE31
http://p27dokhpz2n7nvgr.1hkjl3.top/7435-9474-BA2D-0091-BE31
http://p27dokhpz2n7nvgr.16nxpn.top/7435-9474-BA2D-0091-BE31
http://p27dokhpz2n7nvgr.133chr.top/7435-9474-BA2D-0091-BE31
http://p27dokhpz2n7nvgr.17gvad.top/7435-9474-BA2D-0091-BE31
http://p27dokhpz2n7nvgr.15yvce.top/7435-9474-BA2D-0091-BE31
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THIS_FILE_MWONP_.hta
cerber
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_B5H3Y_.txt
http://p27dokhpz2n7nvgr.onion/2011-8482-E16A-0091-B540
http://p27dokhpz2n7nvgr.1hkjl3.top/2011-8482-E16A-0091-B540
http://p27dokhpz2n7nvgr.16nxpn.top/2011-8482-E16A-0091-B540
http://p27dokhpz2n7nvgr.133chr.top/2011-8482-E16A-0091-B540
http://p27dokhpz2n7nvgr.17gvad.top/2011-8482-E16A-0091-B540
http://p27dokhpz2n7nvgr.15yvce.top/2011-8482-E16A-0091-B540
Targets
-
-
Target
0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed
-
Size
236KB
-
MD5
b81165ab0938e84fa87efefe0e2c0030
-
SHA1
9e33c952c6a0e14162c0de07eabc7d64e7f5b272
-
SHA256
0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed
-
SHA512
93805f5191a75cae4360ad41ec705bc1b6120db6f94c755016f6a9fecff02562ecbf95ee4e466149cefc7133289be04cd531954e311f38694a32b12b84db9932
-
SSDEEP
6144:KZtaw1henWCopyU0wKxbVKNaquP4V1+v1jnef:gHyVU0wKlVK0q9V141Cf
Score10/10-
Blocklisted process makes network request
-
Contacts a large (1094) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1