Overview

overview

10

Static

static

1

x-mouse-bu...f1.exe

windows7-x64

8

x-mouse-bu...f1.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    x-mouse-button-control-2.20.2-installer_4zR-Hf1.exe

  • Size

    1.7MB

  • Sample

    240521-m888gsbd35

  • MD5

    e0573ad79c7b7d1f79b0321777123239

  • SHA1

    7b8bc2e9304f29b119cede816b6177c63fb152bb

  • SHA256

    c5c50269e73257c72ae9d49f78fe9b872cf722b36c1eed27980b9ddb82c45da9

  • SHA512

    486dfdde8ef489a079c46015a880e84b0853c3e083ed5a2bbc5ac73194f62948cd907c342efcf08dcf9b882604e5e50a5b14e26605a2f4ec7649820696136335

  • SSDEEP

    24576:i7FUDowAyrTVE3U5F/5tk6t+Ki2T5J4CCRJw9B4dyuHjS3Ep7Wy:iBuZrEUzUKdT5wJw9Bu6

Score
10/10
cobaltstrikebackdoorbootkitdiscoveryevasionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      x-mouse-button-control-2.20.2-installer_4zR-Hf1.exe

    • Size

      1.7MB

    • MD5

      e0573ad79c7b7d1f79b0321777123239

    • SHA1

      7b8bc2e9304f29b119cede816b6177c63fb152bb

    • SHA256

      c5c50269e73257c72ae9d49f78fe9b872cf722b36c1eed27980b9ddb82c45da9

    • SHA512

      486dfdde8ef489a079c46015a880e84b0853c3e083ed5a2bbc5ac73194f62948cd907c342efcf08dcf9b882604e5e50a5b14e26605a2f4ec7649820696136335

    • SSDEEP

      24576:i7FUDowAyrTVE3U5F/5tk6t+Ki2T5J4CCRJw9B4dyuHjS3Ep7Wy:iBuZrEUzUKdT5wJw9Bu6

    Score
    10/10
    bootkitdiscoverypersistencespywarestealercobaltstrikebackdoorevasiontrojan

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Downloads MZ/PE file

    • Modifies powershell logging option

      evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

7
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

6
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks