258c713562b0b18b8572a3d23c83d338b4c5cdb5fb421e47b78475ddd2cf7c06

Sharing

Copy URL

Twitter E-mail

General

Target

TwingateWindowsInstaller.exe
Size

81.9MB
Sample

240319-sk54tafg2v
MD5

54be7fa22ab8bf77dd7f9b1f3edad379
SHA1

68e91f755c007e6f0be6b1b81f72f0a9aa5fd46f
SHA256

258c713562b0b18b8572a3d23c83d338b4c5cdb5fb421e47b78475ddd2cf7c06
SHA512

41cc86a7298b6a3454e2368935fddb0645555f18894c32471b72bf5023410d7d858d68accccb6901cd174ae1f4c729864e1ba356a3a79e0dee857cdd62a82631
SSDEEP

1572864:KYTufAs+mNKQHyPkQgM8KAsXNC3xCUH/3ivgHQeN0jRgXJN9HoRTFo0zS8Bw5rtY:KGDQHyPGM8CXU3Em/l30j65NSoqDy5xw

Score

7^/10

discovery persistence

Malware Config

Targets

- Target
  
  TwingateWindowsInstaller.exe
- Size
  
  81.9MB
- MD5
  
  54be7fa22ab8bf77dd7f9b1f3edad379
- SHA1
  
  68e91f755c007e6f0be6b1b81f72f0a9aa5fd46f
- SHA256
  
  258c713562b0b18b8572a3d23c83d338b4c5cdb5fb421e47b78475ddd2cf7c06
- SHA512
  
  41cc86a7298b6a3454e2368935fddb0645555f18894c32471b72bf5023410d7d858d68accccb6901cd174ae1f4c729864e1ba356a3a79e0dee857cdd62a82631
- SSDEEP
  
  1572864:KYTufAs+mNKQHyPkQgM8KAsXNC3xCUH/3ivgHQeN0jRgXJN9HoRTFo0zS8Bw5rtY:KGDQHyPGM8CXU3Em/l30j65NSoqDy5xw
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/NetCoreCheck.exe
- Size
  
  142KB
- MD5
  
  5f6469960e0016d44be090160b889077
- SHA1
  
  114b94c1401d039903e5e8b11cacbb737230365a
- SHA256
  
  cb5714eb1f8b3938233823f465173c45ccef73e5b0ee122391853a3f2a305294
- SHA512
  
  a3cacbab7a8a2b0a914b2eb6043f20e60761dbedfefa12fa5353d326370c087845a9eed2024675284449bbcbb8510da72b8832114f003dd2473b45357cf5c670
- SSDEEP
  
  3072:7/nYmLarqUNvydkN1kDICHESJL9kazPOZt+1tT/r:Dn4JFSES/Pos
Score

1^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/TwingateWindowsInstaller.msi
- Size
  
  27.0MB
- MD5
  
  3974c25fcade33b85f27d2770ed5ff87
- SHA1
  
  13a04128d62654e53e6d2b29c6ff3205c717f189
- SHA256
  
  5c0292d6ae44e7fe2949a12170d820f7ee8fb091f508717a7c9bbddf876e97ab
- SHA512
  
  018a49d3183a43a54f185b0de55aefe8cccacf17fd5d7ddc65e937945c25cc9741e8c62177c2187002b58c8875d945093e1cd2859667efa50af46dbdb94065ca
- SSDEEP
  
  786432:KPZj+TaQhNxLjbKSEEXK+KbOejfWquBxqHf4lWsayGs:KV++QhLj2SRXKZiejHuBxqQlWvs
Score

6^/10
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/dotnet-WindowsDesktop-x64.exe
- Size
  
  54.6MB
- MD5
  
  d6d5ec50cc606d19651cd3e69911a51f
- SHA1
  
  f45ba5596de84abef7b3ec4857a6b4e9f2f4b92b
- SHA256
  
  1002a385738783d1a4594e84b95d01fd241536ab7a1fd4f99b1ee13f49f6db9d
- SHA512
  
  8927e3bcda1f439af84af0cb41fefc38c4386297eb463ddc7dd835d98502e63e0ba06a0732b02939a981644d8afad1d77036b6ac38d348c1cd29cf691cb80da7
- SSDEEP
  
  1572864:kfIbCsGSR84vql2mQw19ECV7YyVuunDzuslEQz6flmTq:MN4vqluw15Vsy4+Dfh6f4u
Score

4^/10

discovery
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/ndp48-web.exe
- Size
  
  1.4MB
- MD5
  
  34a5c76979563918b953e66e0d39c7ef
- SHA1
  
  4181398aa1fd5190155ac3a388434e5f7ea0b667
- SHA256
  
  0bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
- SHA512
  
  642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040
- SSDEEP
  
  24576:xGHL3siy910NSmtLvUDSRbm4Jah1rVx8MjoGO8W6cbZtgd6AmpITsz0+lLF7cy:mL3s7K8eTUDBzrVx8MjoGO8W6cbs8NpT
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  b4579bc396ace8cafd9e825ff63fe244
- SHA1
  
  32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
- SHA256
  
  01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
- SHA512
  
  3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a
- SSDEEP
  
  96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
Score

3^/10
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Adds Run key to start application

Blocklisted process makes network request

Downloads MZ/PE file

Enumerates connected drives

Blocklisted process makes network request

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14