General
-
Target
a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168
-
Size
2.1MB
-
Sample
240604-bd4hzaff5z
-
MD5
3f1414acc122559e44c9760949639fa6
-
SHA1
b2e9d49489ded5b9ed2e77d273047381e21657b9
-
SHA256
a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168
-
SHA512
eff86d7fb57e5644d10d5cf80d82db3c611563795334c863218aacae7e5c1bf2c1cf42e36fd63f276762df9d16da5b5888651da704f91ecee9f1d02093a882d3
-
SSDEEP
49152:IBJ0k1H8oajdVSBlwRh8QniHqyxLfNDNTHS:yGk1idXNCqyxLfvHS
Static task
static1
Behavioral task
behavioral1
Sample
a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe
Resource
win10v2004-20240426-en
Malware Config
Targets
-
-
Target
a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168
-
Size
2.1MB
-
MD5
3f1414acc122559e44c9760949639fa6
-
SHA1
b2e9d49489ded5b9ed2e77d273047381e21657b9
-
SHA256
a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168
-
SHA512
eff86d7fb57e5644d10d5cf80d82db3c611563795334c863218aacae7e5c1bf2c1cf42e36fd63f276762df9d16da5b5888651da704f91ecee9f1d02093a882d3
-
SSDEEP
49152:IBJ0k1H8oajdVSBlwRh8QniHqyxLfNDNTHS:yGk1idXNCqyxLfvHS
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects executables packed with unregistered version of .NET Reactor
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1