General

  • Target

    Sigma Serial Changer (Temp).exe

  • Size

    7.0MB

  • Sample

    240603-b13vysef7y

  • MD5

    5e686c1b99bda6e9f751b15f1ada8738

  • SHA1

    ea96386a588d9fe3665f200da7d8f5c5763bb9d4

  • SHA256

    8cfa5d067e6ea8774f8ca3ddbfe86c17e3f06a76753910cefb04409af6099368

  • SHA512

    638e8920bb702743be8f0d66d386bfaad187cb8fe431c2c31b0c9bd542bc5d9eedeafd42ec117e14bb62376a506e0cbf8c1170767af7323144d5ac1eb76328bd

  • SSDEEP

    196608:Nr5wiFAzvHgJEeN/FJMIDJf0gsAGK4R8un/TA:o7vg5/Fqyf0gst8u/8

Malware Config

Targets

    • Target

      Sigma Serial Changer (Temp).exe

    • Size

      7.0MB

    • MD5

      5e686c1b99bda6e9f751b15f1ada8738

    • SHA1

      ea96386a588d9fe3665f200da7d8f5c5763bb9d4

    • SHA256

      8cfa5d067e6ea8774f8ca3ddbfe86c17e3f06a76753910cefb04409af6099368

    • SHA512

      638e8920bb702743be8f0d66d386bfaad187cb8fe431c2c31b0c9bd542bc5d9eedeafd42ec117e14bb62376a506e0cbf8c1170767af7323144d5ac1eb76328bd

    • SSDEEP

      196608:Nr5wiFAzvHgJEeN/FJMIDJf0gsAGK4R8un/TA:o7vg5/Fqyf0gst8u/8

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks