Resubmissions

01-04-2024 15:36

240401-s2an8shb33 10

01-04-2024 15:14

240401-smgt1agh52 8

General

  • Target

    NPE.exe

  • Size

    16.2MB

  • Sample

    240401-s2an8shb33

  • MD5

    ddfc82cf4eab81965e3ec8ca8915b00a

  • SHA1

    1e5b94be6922e6198afe39a7fc695db291bffcf6

  • SHA256

    4819d87fe9d0d0485fe85a3843a3e3ecd61ebe50a115dad01ec10275272be82a

  • SHA512

    ac08fa6aa1e55a653ad48305bf19c346d0a82a30830ae5b8c84d557e44c57511e39c68deb786044481074fb694d3827f66cb66862ac52fb4437663e82d64ba42

  • SSDEEP

    196608:dm9mJUAMfMvgTz2ENNFV8pYrqNpEdYo1NTXPJb:sCMfMQz2Ev8+rqNp1yXPJb

Malware Config

Targets

    • Target

      NPE.exe

    • Size

      16.2MB

    • MD5

      ddfc82cf4eab81965e3ec8ca8915b00a

    • SHA1

      1e5b94be6922e6198afe39a7fc695db291bffcf6

    • SHA256

      4819d87fe9d0d0485fe85a3843a3e3ecd61ebe50a115dad01ec10275272be82a

    • SHA512

      ac08fa6aa1e55a653ad48305bf19c346d0a82a30830ae5b8c84d557e44c57511e39c68deb786044481074fb694d3827f66cb66862ac52fb4437663e82d64ba42

    • SSDEEP

      196608:dm9mJUAMfMvgTz2ENNFV8pYrqNpEdYo1NTXPJb:sCMfMQz2Ev8+rqNp1yXPJb

    • UAC bypass

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks