General
-
Target
dugga_848274.seb
-
Size
5KB
-
Sample
240522-l1yaksbd3x
-
MD5
7867d29c88ed216103feb5021f01ebf8
-
SHA1
543af5ce7d60b6bf66d44d6bc42515d7fc97e796
-
SHA256
43adf87d5486202112a4bdea368abc46b5fb6f2ae2a6083b8a87e18723b2feee
-
SHA512
f0a22affd6b56154e0ad15a28fadedbc1977fc1fe72b6280d3d87c72ad8d7df1b3a465d9532869a30c09e88cd35ab0f0f6ed188513a38a5ae090d575797354a9
-
SSDEEP
96:xUS0wqaXc0hWp9nVRcerCWZIIvj2y/dT2/7HpPotQWtfDmDa:xUncc79VierCW7vj9/Q/7pKQULf
Malware Config
Targets
-
-
Target
dugga_848274.seb
-
Size
5KB
-
MD5
7867d29c88ed216103feb5021f01ebf8
-
SHA1
543af5ce7d60b6bf66d44d6bc42515d7fc97e796
-
SHA256
43adf87d5486202112a4bdea368abc46b5fb6f2ae2a6083b8a87e18723b2feee
-
SHA512
f0a22affd6b56154e0ad15a28fadedbc1977fc1fe72b6280d3d87c72ad8d7df1b3a465d9532869a30c09e88cd35ab0f0f6ed188513a38a5ae090d575797354a9
-
SSDEEP
96:xUS0wqaXc0hWp9nVRcerCWZIIvj2y/dT2/7HpPotQWtfDmDa:xUncc79VierCW7vj9/Q/7pKQULf
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
sample
-
Size
5KB
-
MD5
c31020e4835be00569e290ee53515a93
-
SHA1
9ff7b0031069f6371cf7ed8b53659873df3eee5a
-
SHA256
629328afa29bb1b0abd0b3d5bc3fa71d232f8db3f639e4fbed78193306a1d665
-
SHA512
d79054ad1d7b168ad594018cd4afbbb23191210c563556404d0769d05dc5d2d3c21edd271fd20d026fa2357e9770b2c52c53ae3d7b0aa753c3d95f295a55c7bd
-
SSDEEP
96:TUS0wqaXc0hWp9nVRcerCWZIIvj2y/dT2/7HpPotQWtfDmDt:TUncc79VierCW7vj9/Q/7pKQULY
Score10/10-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Possible privilege escalation attempt
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
4Winlogon Helper DLL
1Pre-OS Boot
2Bootkit
2Privilege Escalation
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
4Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
10Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Pre-OS Boot
2Bootkit
2File and Directory Permissions Modification
1Subvert Trust Controls
1Install Root Certificate
1