General
-
Target
.
-
Size
146KB
-
Sample
240405-qhvtysdf23
-
MD5
76bda9b59d5aac22de246d89bcfb75e1
-
SHA1
4d965319a9a2af9271b97913a5e93c1aae032c8d
-
SHA256
a76364703233d375b024d5f3ca5415e42dd7283643cf67b8a50cba691c659c9f
-
SHA512
5c821c3866c7a6b5359efda20dd785f67bd333ba1f4cb80c9c74936f1ee9a265cff4d0c32c018d762968f33eb6452daac903b33845ca34ecacb3a7af391db128
-
SSDEEP
1536:oukud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DCHhqiS:dkPLFoVsllXmxUHhqiS
Static task
static1
Malware Config
Targets
-
-
Target
.
-
Size
146KB
-
MD5
76bda9b59d5aac22de246d89bcfb75e1
-
SHA1
4d965319a9a2af9271b97913a5e93c1aae032c8d
-
SHA256
a76364703233d375b024d5f3ca5415e42dd7283643cf67b8a50cba691c659c9f
-
SHA512
5c821c3866c7a6b5359efda20dd785f67bd333ba1f4cb80c9c74936f1ee9a265cff4d0c32c018d762968f33eb6452daac903b33845ca34ecacb3a7af391db128
-
SSDEEP
1536:oukud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DCHhqiS:dkPLFoVsllXmxUHhqiS
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Stops running service(s)
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
5Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
5Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
7Pre-OS Boot
1Bootkit
1