General

  • Target

    FPSPackV2.rar

  • Size

    36.4MB

  • Sample

    240510-23mjvshg35

  • MD5

    12673256e0d50949ad36aefabe65a902

  • SHA1

    4eedc11d2f21113eec256c44228932d81800f39b

  • SHA256

    091a875f36d0fdc6ed90617adc76d69da42f17c6f7b0defee81fb9655267e617

  • SHA512

    9ebe82dac456d32eaa3d53ad2885e0f7e4c02cedd9df43589b996d04199c67d135332818d1abdbb34997807ad9271374e9511616b617d8924beb2594a36e4d6b

  • SSDEEP

    786432:8lqmAV8jEtlmgjzzzrcWeQ8uFKU/j8W66OxXo31JjPm8HwUyD1Tj3gAYLV1OkPeY:w+7Wgj/cWeQ8uduKe8HtyFjkiI

Malware Config

Targets

    • Target

      FPSPackV2.rar

    • Size

      36.4MB

    • MD5

      12673256e0d50949ad36aefabe65a902

    • SHA1

      4eedc11d2f21113eec256c44228932d81800f39b

    • SHA256

      091a875f36d0fdc6ed90617adc76d69da42f17c6f7b0defee81fb9655267e617

    • SHA512

      9ebe82dac456d32eaa3d53ad2885e0f7e4c02cedd9df43589b996d04199c67d135332818d1abdbb34997807ad9271374e9511616b617d8924beb2594a36e4d6b

    • SSDEEP

      786432:8lqmAV8jEtlmgjzzzrcWeQ8uFKU/j8W66OxXo31JjPm8HwUyD1Tj3gAYLV1OkPeY:w+7Wgj/cWeQ8uduKe8HtyFjkiI

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Stops running service(s)

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks