7905df7457eea6b6c6d9f521a587121dd2bf5737d9b62454f7e6473fe7cddf21

Resubmissions

27-04-2024 22:49

240427-2rth2aad39 10

27-04-2024 22:47

240427-2qnamaac87 3

Sharing

Copy URL

Twitter E-mail

General

Target

x64__x32___setup.zip
Size

8.4MB
Sample

240427-2rth2aad39
MD5

f5b602d25cd3b1c570466062728fc1c6
SHA1

130abed4d3b935f65f9c579f16ff73f734bbe342
SHA256

7905df7457eea6b6c6d9f521a587121dd2bf5737d9b62454f7e6473fe7cddf21
SHA512

7c11b04f6046478945d92f05c56e4fc9fe860e89d7f9b5a35b5f37e6bf9d6b6ad7410c9c435f01487a29a001f3060d2aea8cc4f4bc4ecf6fb7698a50f7a87ea3
SSDEEP

196608:cazmCIyMTws71nVS9OkKRaDqHr1NJFyT/6f0SYFeqKGq1sVw:caWLEs71nVsJDqL1NXyT6f+4Gq1ew

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://opensun.monster/2704e.bs64

Targets

- Target
  
  RADCUI/RADCUI.dll
- Size
  
  378KB
- MD5
  
  67301d7bf509b07889c8e207163ec41b
- SHA1
  
  23c5dcef8cdbb465ae78c74233dcff4a86c13f11
- SHA256
  
  3df3bbdb86551a262dfffa4d99ed145f18d2208ab4d0fa1a4d6ef8cecbf2b4de
- SHA512
  
  36af3c2ea28da3667300dce3f8f28bb708b8684fb94b8020fdc06c28aa58f9de27c1b4077aa2ffe8640573c47d7859155bb8175b9aeb2aaf98a0b90c1d96a934
- SSDEEP
  
  6144:HxQc6/55CKR4RifAwp3jND9/qucww3ZUrzSUPdbkgbo3vIk3zEJ:Hxh6/55CK6IlBD9/Xw3ujlIQk
Score

10^/10
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  RADCUI/pidgenx.dll
- Size
  
  1.0MB
- MD5
  
  6f6a74d46ba225261488dbdf32caa69b
- SHA1
  
  063ffb322674165c96b8cf25a8441ed1c5962f37
- SHA256
  
  695a4ef496fa8b52566f0006ede20ea39d2383eca5bd1a73196d9e2bac487069
- SHA512
  
  200ca7d88c091a6e85206d22255f327c02f567f1ff082181ff7a08d809319f176a50068a1b946d2260e0045458429b26cfb4760acd194a961996bb42362693dd
- SSDEEP
  
  24576:nRYt15lLwZHcISiGezlU/UhE5SeK7j5ZLdPOZzbO:TfGG+/UhA5KxZF1
Score

1^/10
behavioral2
- Target
  
  RADCUI/termsrv.dll
- Size
  
  1.2MB
- MD5
  
  acf335acc55f0ac19e3f738073a8e3c9
- SHA1
  
  e8ddd78866726ac535700877aa2131dfd273ce40
- SHA256
  
  d131c26e62999b9ff68e2d40d316ac0d50407017e3970f45ca01089a3692359c
- SHA512
  
  071f0ce46486bac6c05f99ce235a1071cdc1d71d4949171edd768688d82504d9cfb622748c4f6203a324c899ad68da5c09d2d2a82992285d97048540e4f05c74
- SSDEEP
  
  24576:rcfXwLC9bgXOuyD8XMO79WniT3mooGxcYSz:SwaWwoMO79W43mooEcYS
Score

1^/10
behavioral3
- Target
  
  cdosys/cdosys.dll
- Size
  
  1.0MB
- MD5
  
  4b32087670a6ec10c30f19b44b55fd81
- SHA1
  
  dfd4160d7667fd653d4c120bd9f03ee6306d4636
- SHA256
  
  5bbdd7dfd38a030620f8ff5ea02ae4f045d733d9af39655e168e18f48bc5faff
- SHA512
  
  cc154bfda1c11d592afe15e5968e36e34d1dacb585ed3ebf0c06f4aee83d853bbe6b72c01000d8fef7a882b4cb682916efe4537b6a05b99bad411fbfa942d889
- SSDEEP
  
  24576:Qbxqt/VuE+lA1rFsh4ZH83hNYdJX8Uc78zPAYVkJ:axqt/VuS1WC8xad5tykAL
Score

1^/10
behavioral4
- Target
  
  iasnap/iasnap.dll
- Size
  
  146KB
- MD5
  
  9159148d50715f59a725a977967898b7
- SHA1
  
  f5517daf900443dd6bc105359dc65886d6d554cd
- SHA256
  
  7c1dfb2b669a3346db1c72aa240aa0c8c11ae874f295957a4ae5225aea5ce338
- SHA512
  
  a7af2ee0bffe1a065ea9e5d221a335d92f6e3205bc57a06a9e5ad21bdf99f99d570b4402296cf17600ed723a7859a6b9dd51dcab75dc5e4904c90138e1b01ec1
- SSDEEP
  
  3072:h/snML9MjETSXzWRYrVmigq8SdquzxxTPYZczFZM2+ahI:hsMizWRY4igq8CrzxxTPYZjla
Score

1^/10
behavioral5
- Target
  
  iasnap/mfds.dll
- Size
  
  940KB
- MD5
  
  2555ca538cfa951b193896509b847730
- SHA1
  
  11d95c5d4f1836db092632e9a84a36a5b80563e9
- SHA256
  
  8c965bae549766b7fa4b9d9c7e56a729abc5474484efe94663b3c8bfd0429719
- SHA512
  
  2d0606b9fa6b9bdcbab1ed000af9df3369eb3a260014d3b3fa2fc407568d1729eb85af8117f8fd2bb354d4cfeb32382217ebccc3b2019aec4e9e1a5ec0061ec4
- SSDEEP
  
  24576:1jNufeKFyo5zYINB2USKfkTInCyVNImtGQty:1jNufeKFyUzYIWZSkTMJt3ty
Score

7^/10

persistence
- Registers COM server for autorun
  persistence
behavioral6
- Target
  
  iasnap/mprddm.dll
- Size
  
  893KB
- MD5
  
  aa6c7b6257f5c9175979a36a29b66be7
- SHA1
  
  a0a7be48eccb51594583aef5f3f13a374cb3b316
- SHA256
  
  6b7aab5fc92181204e2fa92058c3d1a321377827580164c47973930f3d8335ac
- SHA512
  
  e5b5f16a9fcd9cfc5e1b717d9d64c67cd447b50cf1aa2efe06a1c2791c78cffb8174e931e5fea640c15a3ff2d489074c19f12a5c52c244833fe013f09bc556cc
- SSDEEP
  
  24576:spTENwvBLsGjhrmVjm2fkAnJZo2a3m2hBdG:C/S8hrmVjm2fk6s3fhBdG
Score

1^/10
behavioral7
- Target
  
  setup.msi
- Size
  
  8.4MB
- MD5
  
  7d0e7e9083315bddec9bbc60fbf30ba3
- SHA1
  
  008eb06db4a300ae988ea004503382bec53f0743
- SHA256
  
  572e7f82c29a2be6f927cb28c1125eb4f7e62f0d5e82e8489706a64e8e8302e2
- SHA512
  
  8678ee4b95226e57d4ed867a3cec5827b01389e4542dccab48e11b10b14966117c698c4bd4e02ed752fb8383459a12b1d6cde3a6fdbe9bb87f4005ae72cab0bc
- SSDEEP
  
  196608:KN6gYGIfVlhQ+gtODuwjWT6mPY6T/9dFr5Wfbr:KD3IfVlhQ+glwY6ArT6fb
Score

10^/10
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral8 behavioral9
- Target
  
  winmde/MMDevAPI.dll
- Size
  
  517KB
- MD5
  
  8123fced22f5424445baa833e790abe8
- SHA1
  
  77d11ab87bd8f4aba309164ca2fe054d510db65c
- SHA256
  
  0a5e682042a3dad4bf67ab9a0e3542683a12b75c727ec4972820cf15e5cf59c2
- SHA512
  
  186cf65d2ed065684ae5562a895a8c05475378fd84534e0f3ad59e7193d06539bf577dd5aa11ba31423f186cc44b0a92f216e1f50b8736a1ef3998543238741b
- SSDEEP
  
  12288:jB7f6jxCrRb4VKBjeOh2shFUuzqAp8RbjGSzklr:jdzr5MGXLvx
Score

1^/10
behavioral10
- Target
  
  winmde/Windows.Graphics.dll
- Size
  
  553KB
- MD5
  
  29bbe29eaefbc1fd7df09e5730619af0
- SHA1
  
  df0c487b5eba7f05b4acc4365c45745f3e565ea2
- SHA256
  
  81252237cefbc6058842c1db98067d5bd1d7819b18367be889f6f6dd326c64cd
- SHA512
  
  6400546bbf6c400c1660b4a5ad88b5b22f9447fad0ff938543e69d9b081020e6c4b583b2edcf5cf082ff59643164052bb8ecc147199cd74011cb1be7e41d0672
- SSDEEP
  
  6144:v2b4x5qM/VRCEU/UUL9SpUUkNslL1tKPjvt+/e4OO7Y8nR7kE1TRYl0YH2Cr:v2b8xUD9nN9PbY/e18Rgse0Sr
Score

1^/10
behavioral11
- Target
  
  winmde/daxexec.dll
- Size
  
  671KB
- MD5
  
  aa304599017322a35b85a25c05b2181c
- SHA1
  
  ccd39e2485b8990dd7cfe5b4a8587afd6efcba27
- SHA256
  
  db2fe02682d410de2e4fa6e9435b9dc14b3739922fe1e6796e8b94942f711944
- SHA512
  
  14f48ddf29aa5e9dfa9c84661a1cc6f2d5cc1c62a51a055ed1e4820150e29638863ca6f75d339f7c6f1d47d20e6bfdc77f7a90cecb21deb7b7350c2743a62e40
- SSDEEP
  
  12288:JWThr/x7b9KmyqDOw8JqJctn3VYP1f4mIyoeHswILgD:JMTxHyqDOjtVYPB4xeMwIU
Score

1^/10
behavioral12
- Target
  
  winmde/mi.dll
- Size
  
  124KB
- MD5
  
  0987db6e1d0563e9a91e8c8fbf266482
- SHA1
  
  edf1a012b912f5787c22d4e5ad70765e7e73c113
- SHA256
  
  5271e8c2759227b34a2e28c5172798b1d79e86f6eeb325979141d903b8f1f7ab
- SHA512
  
  8befa9003f2f4c9131d80a3e64208238c690e2c4176973cada6a491e337325e8b5ab765b8d9fa0958e9240ff839dc95987d4af4485e665fa88924bc30991b796
- SSDEEP
  
  3072:7eLS08QsjvBLZzY44FZOXWF/UnzvtWXsZ0jpx9AQ+:w8/jvBLZxWFItWXzjpn
Score

1^/10
behavioral13
- Target
  
  winmde/winmde.dll
- Size
  
  1.7MB
- MD5
  
  2f6eec666fcf2a5a81ddd5d7c3cb69a1
- SHA1
  
  82368bb81d3e2157af3ff75edd6c15e7c3f9cfe7
- SHA256
  
  4256747504369f6d70e0051d1966952bf96e1ad178f9ffe6ecf369b9c3a088ec
- SHA512
  
  f6efc08618866a419b583059f905861a09c19c599d8d1e8cc9ec1382178a28dae8410a31b0bfbecc4889e3e65dc1a6b5b3c568b1b6a3dee725e17801b8916641
- SSDEEP
  
  24576:wHCJaV9biKS6cGNy15GI5MTs9sZJh4r0gukLqfwwUc8s5EwmG:bJceGNy15GIeTse4r0gukLYwDwmG
Score

1^/10
behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Registers COM server for autorun

Blocklisted process makes network request

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14