General

  • Target

    Maintenance.zip

  • Size

    7.0MB

  • Sample

    240530-xw9nlahf99

  • MD5

    928a76956965ffd9ff49f129056255f3

  • SHA1

    4662b09323cbc5e71a640e28bb83617a3047618c

  • SHA256

    cf428bdbd8985af9eb3e137b4dd206df0583c06a144a8252acc1979e9ccb225c

  • SHA512

    765193135e021de3c68474494950fd4a6a9052037ed9b8bb8aa076185bd3f11b4a3d3d0b0e6a5c27d1e377b5a356833e9aa7c45abacee2ac33733673b6ad5f8f

  • SSDEEP

    98304:yLUghTmrB1Bez+EGHtjJe6aFqqlf3e7Fd6e6GMRelVLjAk94lYVJZ5SYQVJLV9dL:475c5veP5kF4e6eXLh5SYQ/vdO6

Malware Config

Targets

    • Target

      Maintenance/rong.exe

    • Size

      277KB

    • MD5

      060d01a06716718bf818a53a50e9b669

    • SHA1

      b070a04847e467111103cf6872d755738a1b38b2

    • SHA256

      94f216ebc35eaaa45e11b94633a3af3daeee79a3fc9659606d438600842316a3

    • SHA512

      246e3cf70422bb4da782b8956656cf6b4e456987fa3a0d88a31f69ba2416af59aff88bfd57cec8fb8b3f3bd965bd9d64b1e35e8ef40736dc034adfc25ac889d0

    • SSDEEP

      3072:bG+1egX1rRALh+7LJqL1Fly9DAoBwyLNhcC2FVcZV9RxANZcCmcWe0se2wJDhyKE:mglrEkxu1y9Db1k+xKcCmfeRet0KY

    Score
    1/10
    • Target

      Maintenance/ste.exe

    • Size

      6.9MB

    • MD5

      082b02c8cebe0f81a1c82782c2dd5bb1

    • SHA1

      ae20859b0045ceb64d39c45db9e8aeb634ea1cf9

    • SHA256

      fdca4bc14c8ea31e448bffaf13aecbf9d727b9897ea44e905b9fe2a2987898ad

    • SHA512

      af1bdcdf2ff849d2e7c18ce9a24b9099034210ec01a0726f2e263a14fe4341e53056de310e71502d4f43bdff44828fb278b9ca4cd75b7034f416307a6dbff172

    • SSDEEP

      98304:EZvITBgZpeDamaHl3Ne4i3lqoFhTWrf9eQc0MJYzwZNqkzmZs5J1nD1ksBnrN5Jt:E9IsHeNlpYfMQc2sXhnD1ksVPJt

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Maintenance/vcruntime140.dll

    • Size

      42KB

    • MD5

      65bc79ec84cabe4c7ed8ce9a5fa2828b

    • SHA1

      87d66dd545643bb848179598a37c0a93c0a80512

    • SHA256

      14d683fb00c746eefa9cf44663b667cfdf28e814ac95e2415a93a6bf920155de

    • SHA512

      60344faec9a6c2d868513188f28e2ff4a4140b48288361427f76552a261b99f6e146af4d880c0a30c623f5397c6cc2cedf86b473caa70252890e3cebad4bb383

    • SSDEEP

      384:y5SA8M63a8et/cqqsKtEi9iYOd3AeeQDOeUc/bYHtQ1NnSPDuITCoGRxrIafIQXg:yoA8M2J9op5DOeUc/bYHtJNdegKdk

    Score
    1/10
    • Target

      Maintenance/vcruntime140Org.dll

    • Size

      93KB

    • MD5

      ade7aac069131f54e4294f722c17a412

    • SHA1

      fede04724bdd280dae2c3ce04db0fe5f6e54988d

    • SHA256

      92d50f7c4055718812cd3d823aa2821d6718eb55d2ab2bac55c2e47260c25a76

    • SHA512

      76a810a41eb739fba2b4c437ed72eda400e71e3089f24c79bdabcb8aab0148d80bd6823849e5392140f423addb7613f0fc83895b9c01e85888d774e0596fc048

    • SSDEEP

      1536:wkb0wrlWxdV4tyfa/PUFSAM/HQUucN2f0MFOHH+FVfecbTUhnvUuJ:wWD4eUp+HQpcNg0MFGH+FVfecbTUh8c

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks