Resubmissions
25-06-2024 10:28
240625-mhrwhsxdln 325-06-2024 10:27
240625-mg7wcaxdjk 325-06-2024 08:54
240625-kt32tatanr 320-06-2024 10:33
240620-mlkavasfpg 314-06-2024 11:00
240614-m4d7jsxfrc 314-06-2024 10:50
240614-mxppps1ekk 314-06-2024 10:39
240614-mp8gvaxbjc 311-06-2024 10:04
240611-l3yn5atcmn 311-06-2024 09:55
240611-lx1arssfle 611-06-2024 09:53
240611-lw1j5staqm 3General
-
Target
b28242123ed2cf6000f0aa036844bd29
-
Size
87KB
-
Sample
240517-m38d1aef41
-
MD5
b28242123ed2cf6000f0aa036844bd29
-
SHA1
915f41a6c59ed743803ea0ddde08927ffd623586
-
SHA256
fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
-
SHA512
08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
-
SSDEEP
1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc
Static task
static1
Behavioral task
behavioral1
Sample
b28242123ed2cf6000f0aa036844bd29.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b28242123ed2cf6000f0aa036844bd29.dll
Resource
win10v2004-20240508-en
Malware Config
Extracted
http://93.115.82.248/?0=1&1=1&2=9&3=i&4=9200&5=1&6=1111&7=cvmnqwsvya
Targets
-
-
Target
b28242123ed2cf6000f0aa036844bd29
-
Size
87KB
-
MD5
b28242123ed2cf6000f0aa036844bd29
-
SHA1
915f41a6c59ed743803ea0ddde08927ffd623586
-
SHA256
fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
-
SHA512
08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
-
SSDEEP
1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc
Score10/10-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1