General
-
Target
dctroll.txt
-
Size
23B
-
Sample
240413-psbcmade64
-
MD5
e20921a175a773a7c0c4417c5e4ded0f
-
SHA1
6bbe9628db2772a11cc7a6f51cca8a8d65dc6c96
-
SHA256
49dde0850864be9fab68a21d89d2bea3bd681663c5fe04edd9b8b7f8f69011e9
-
SHA512
e78674458084635846eab87e869b36e8b564671424ae8201d560a77738683c9284f84a1d6bbdd6ad14999742754e59c064ada32b673c884d0c3a1997115406cc
Static task
static1
Behavioral task
behavioral1
Sample
dctroll.txt
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
dctroll.txt
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
dctroll.txt
Resource
win11-20240412-en
Malware Config
Targets
-
-
Target
dctroll.txt
-
Size
23B
-
MD5
e20921a175a773a7c0c4417c5e4ded0f
-
SHA1
6bbe9628db2772a11cc7a6f51cca8a8d65dc6c96
-
SHA256
49dde0850864be9fab68a21d89d2bea3bd681663c5fe04edd9b8b7f8f69011e9
-
SHA512
e78674458084635846eab87e869b36e8b564671424ae8201d560a77738683c9284f84a1d6bbdd6ad14999742754e59c064ada32b673c884d0c3a1997115406cc
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3