General

  • Target

    sample

  • Size

    19KB

  • Sample

    240517-qagblaab4x

  • MD5

    8c0b2721020d3eedb6e5d9c21bdcd53d

  • SHA1

    1bd71ad7eede70b76c7c107122bbb6a561d7df96

  • SHA256

    8278337660fa2460d7664cedef6f6a7b9eb4a6b14956a074e1b467550fe23ef8

  • SHA512

    4409ab5cbc6bd01c8a54da3aecca93273cdf322036f5641e74de6236d744762b0563efd90724bd7681b9f50cb9b1e1550fe5b5497dc2b9c8878261d9016b108b

  • SSDEEP

    384:rHViETDpmReVoOs4ki9ylKeGMrU8HhhbHeA7Fo2paWhOwob0B+AIJCgMmV6:r17BVoOs4kmyI1MTBhb++EWhOwob0kJO

Malware Config

Targets

    • Target

      sample

    • Size

      19KB

    • MD5

      8c0b2721020d3eedb6e5d9c21bdcd53d

    • SHA1

      1bd71ad7eede70b76c7c107122bbb6a561d7df96

    • SHA256

      8278337660fa2460d7664cedef6f6a7b9eb4a6b14956a074e1b467550fe23ef8

    • SHA512

      4409ab5cbc6bd01c8a54da3aecca93273cdf322036f5641e74de6236d744762b0563efd90724bd7681b9f50cb9b1e1550fe5b5497dc2b9c8878261d9016b108b

    • SSDEEP

      384:rHViETDpmReVoOs4ki9ylKeGMrU8HhhbHeA7Fo2paWhOwob0B+AIJCgMmV6:r17BVoOs4kmyI1MTBhb++EWhOwob0kJO

    • Modifies WinLogon for persistence

    • Disables Task Manager via registry modification

    • Possible privilege escalation attempt

    • Executes dropped EXE

    • Modifies file permissions

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

File and Directory Permissions Modification

1
T1222

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Command and Control

Web Service

1
T1102

Tasks