General
-
Target
58079fa79c6d9cd01b097dc4affccfd4790ca67d34c0da53604c4a51d2c66ceb
-
Size
9.3MB
-
Sample
240529-1sln5sca59
-
MD5
233d5e6e3510a971211f490f3c5ac05b
-
SHA1
04cdd97b598c3ecbccf3349392cd81195e531c9d
-
SHA256
58079fa79c6d9cd01b097dc4affccfd4790ca67d34c0da53604c4a51d2c66ceb
-
SHA512
5eff28b0f28a747a537030a7027bda85481282a8de49d895d9818e8da3c568df03ee29830d53bcbd205a90e9155f455141ee56db754da4ab8117cad6fb5c4e12
-
SSDEEP
6144:w1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKqBQFHgTE86JQPDHDdx/Qtqa:NOkiCpat4FU6JXKqmZgEPJQPDHvd
Malware Config
Targets
-
-
Target
58079fa79c6d9cd01b097dc4affccfd4790ca67d34c0da53604c4a51d2c66ceb
-
Size
9.3MB
-
MD5
233d5e6e3510a971211f490f3c5ac05b
-
SHA1
04cdd97b598c3ecbccf3349392cd81195e531c9d
-
SHA256
58079fa79c6d9cd01b097dc4affccfd4790ca67d34c0da53604c4a51d2c66ceb
-
SHA512
5eff28b0f28a747a537030a7027bda85481282a8de49d895d9818e8da3c568df03ee29830d53bcbd205a90e9155f455141ee56db754da4ab8117cad6fb5c4e12
-
SSDEEP
6144:w1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKqBQFHgTE86JQPDHDdx/Qtqa:NOkiCpat4FU6JXKqmZgEPJQPDHvd
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Adds policy Run key to start application
-
Disables RegEdit via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1