General

  • Target

    Eleven.exe

  • Size

    291KB

  • Sample

    240515-1l4alsdh33

  • MD5

    cbce15fbe6803dadc776e071e572fdd7

  • SHA1

    8bcea3406938784448ca8277c8550b40585e7089

  • SHA256

    4dd8ebe0e5b2810f3490415144e27b834144c644a17dd58eb35a74025d305e5a

  • SHA512

    a3e43daa5130ab9942771f66c432848895aea5585cc3b2008d85119573798c3bcd8e86e89483989c9210458271885780f0fe5a85df9aa663a77aafc9dfb39716

  • SSDEEP

    6144:Tx/LcTEyF1dH3VOVw44UOisbaxHUsAxyOzk9jAFzbkvezHTRqn:iBREcUkHxy8yAFlT0

Malware Config

Targets

    • Target

      Eleven.exe

    • Size

      291KB

    • MD5

      cbce15fbe6803dadc776e071e572fdd7

    • SHA1

      8bcea3406938784448ca8277c8550b40585e7089

    • SHA256

      4dd8ebe0e5b2810f3490415144e27b834144c644a17dd58eb35a74025d305e5a

    • SHA512

      a3e43daa5130ab9942771f66c432848895aea5585cc3b2008d85119573798c3bcd8e86e89483989c9210458271885780f0fe5a85df9aa663a77aafc9dfb39716

    • SSDEEP

      6144:Tx/LcTEyF1dH3VOVw44UOisbaxHUsAxyOzk9jAFzbkvezHTRqn:iBREcUkHxy8yAFlT0

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables cmd.exe use via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks