9ef07ab4d3ca4bc2965ace2a3df3618726ed275fe899c449d4d50e078cb79dfa | Triage

Sharing

Copy URL Twitter E-mail

General

Target

9ef07ab4d3ca4bc2965ace2a3df3618726ed275fe899c449d4d50e078cb79dfa
Size

4.0MB
Sample

240527-a8m9ssbc73
MD5

a7f3bac4b5f94de423512b4bf766061a
SHA1

f8981a71c22feccc8b54c2e681325c27fefdfb24
SHA256

9ef07ab4d3ca4bc2965ace2a3df3618726ed275fe899c449d4d50e078cb79dfa
SHA512

38ee6e518f37a41190166e8cd7283ce53db16f7006d4b8509bbcef06c42f25e018f70314256dbd498f34b6d420c554e3e0ad94ffda3c52379fccf3bd09fe8128
SSDEEP

6144:yR8XcGxUEcNmnQ8/RtnYGcY31FvuhANv4hituxp38u0:+8cmnXJhYFY3jvuhANv4h8u/8

Score

10^/10

evasion persistence trojan

Malware Config

Targets

- Target
  
  9ef07ab4d3ca4bc2965ace2a3df3618726ed275fe899c449d4d50e078cb79dfa
- Size
  
  4.0MB
- MD5
  
  a7f3bac4b5f94de423512b4bf766061a
- SHA1
  
  f8981a71c22feccc8b54c2e681325c27fefdfb24
- SHA256
  
  9ef07ab4d3ca4bc2965ace2a3df3618726ed275fe899c449d4d50e078cb79dfa
- SHA512
  
  38ee6e518f37a41190166e8cd7283ce53db16f7006d4b8509bbcef06c42f25e018f70314256dbd498f34b6d420c554e3e0ad94ffda3c52379fccf3bd09fe8128
- SSDEEP
  
  6144:yR8XcGxUEcNmnQ8/RtnYGcY31FvuhANv4hituxp38u0:+8cmnXJhYFY3jvuhANv4h8u/8
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

evasionpersistencetrojan