General
-
Target
sample
-
Size
482KB
-
Sample
240430-xgx19ade2x
-
MD5
6c58cfcfcd83e372eb8facbf0b9bd003
-
SHA1
92068a11e8fa369f706874596059c7f75a67889d
-
SHA256
a00f705b4a5d0d0a21700b0c95198e0fa51c06e6670cfe559b259a23e072fb63
-
SHA512
e28dec999ddf7913f345e16d129d7a4f8db1b88c22d5e988d9173c35a9f52a6ff78737fc268bc078ebb8cf313a8476431b9c2138c1a174afe6d98781669aef5a
-
SSDEEP
6144:8GpCkUCkACkhCkoCkDCkBCkbCkgCkyCkTDA:8GCpCHCaCBCECyCuClCrCKDA
Malware Config
Targets
-
-
Target
sample
-
Size
482KB
-
MD5
6c58cfcfcd83e372eb8facbf0b9bd003
-
SHA1
92068a11e8fa369f706874596059c7f75a67889d
-
SHA256
a00f705b4a5d0d0a21700b0c95198e0fa51c06e6670cfe559b259a23e072fb63
-
SHA512
e28dec999ddf7913f345e16d129d7a4f8db1b88c22d5e988d9173c35a9f52a6ff78737fc268bc078ebb8cf313a8476431b9c2138c1a174afe6d98781669aef5a
-
SSDEEP
6144:8GpCkUCkACkhCkoCkDCkBCkbCkgCkyCkTDA:8GCpCHCaCBCECyCuClCrCKDA
Score10/10-
UAC bypass
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies AppInit DLL entries
-
Possible privilege escalation attempt
-
Sets file execution options in registry
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
7File and Directory Permissions Modification
1Subvert Trust Controls
1Install Root Certificate
1Hide Artifacts
1Hidden Files and Directories
1