Resubmissions

11-04-2024 07:29

240411-jbfccsef62 10

11-04-2024 07:28

240411-jaw9gshg4y 9

11-04-2024 07:28

240411-jawmysef47 10

11-04-2024 07:28

240411-jawb7aef46 8

11-04-2024 07:28

240411-jav2esef45 7

07-04-2024 09:04

240407-k11v2ahh64 7

07-04-2024 09:04

240407-k1s57ahe5z 10

07-04-2024 09:03

240407-k1d19she41 10

07-04-2024 09:03

240407-kz78qahe4v 8

18-12-2023 04:55

231218-fj6bzaadg5 10

General

  • Target

    6ffdead52c68fdafb9fb7e5f0b2e4fc806e56f1a3126bad04194cba602dd92c5

  • Size

    1.9MB

  • Sample

    240411-jaw9gshg4y

  • MD5

    001f6aefa850c575018eaa792a0ebbc5

  • SHA1

    69a44211fda244815a6f7b4480dada97f7778fe0

  • SHA256

    6ffdead52c68fdafb9fb7e5f0b2e4fc806e56f1a3126bad04194cba602dd92c5

  • SHA512

    24eeb6d51b6d3d2988e4eb39a0c0580013d7a3a1711d0d512a233c5a5ca1f5bb4d28b3e39e0e18990d83f592c3550e13cb905b7573c013155867b7221b9997d5

  • SSDEEP

    24576:Z0ZIVjFxbxJMgQ5DIiJ1KxwflAbWgj8RuFwTXJsK63Ct6ij0V+uYzjy2QhL8Gbge:CC9pagQFIE1KbkYF+X70V+hy7hAI1U

Malware Config

Targets

    • Target

      6ffdead52c68fdafb9fb7e5f0b2e4fc806e56f1a3126bad04194cba602dd92c5

    • Size

      1.9MB

    • MD5

      001f6aefa850c575018eaa792a0ebbc5

    • SHA1

      69a44211fda244815a6f7b4480dada97f7778fe0

    • SHA256

      6ffdead52c68fdafb9fb7e5f0b2e4fc806e56f1a3126bad04194cba602dd92c5

    • SHA512

      24eeb6d51b6d3d2988e4eb39a0c0580013d7a3a1711d0d512a233c5a5ca1f5bb4d28b3e39e0e18990d83f592c3550e13cb905b7573c013155867b7221b9997d5

    • SSDEEP

      24576:Z0ZIVjFxbxJMgQ5DIiJ1KxwflAbWgj8RuFwTXJsK63Ct6ij0V+uYzjy2QhL8Gbge:CC9pagQFIE1KbkYF+X70V+hy7hAI1U

    • Contacts a large (1443) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Network Service Discovery

2
T1046

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Tasks