General

  • Target

    3f1414acc122559e44c9760949639fa6.bin

  • Size

    1.6MB

  • Sample

    240604-bz4qvsgg3v

  • MD5

    48d32d0d9a092589ff01d31730db03d5

  • SHA1

    41ccd24bbeef17aab2bc9e20f553222a77ac153e

  • SHA256

    d6eed977741825badacec5402690aab5ee64622e405102d7e88a38c5b615fdf1

  • SHA512

    4d37ddb8863de2dc3064a488ed96c29352d43f40fbd965ab91b1ad4b421d3fff0aba0bb79a33f2cb849f88db773968ed05315d83dacf6dd08053aa6ed60fd1e1

  • SSDEEP

    24576:cppuL/hwYjr8EDt6nDek7mDnFIf6hnpq/v3gUYZtYqlLMxk21Q1sfVri/4sFJ:c25wQ8EYnDJ0GwnpitGY8LM+21QGNunJ

Malware Config

Targets

    • Target

      a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe

    • Size

      2.1MB

    • MD5

      3f1414acc122559e44c9760949639fa6

    • SHA1

      b2e9d49489ded5b9ed2e77d273047381e21657b9

    • SHA256

      a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168

    • SHA512

      eff86d7fb57e5644d10d5cf80d82db3c611563795334c863218aacae7e5c1bf2c1cf42e36fd63f276762df9d16da5b5888651da704f91ecee9f1d02093a882d3

    • SSDEEP

      49152:IBJ0k1H8oajdVSBlwRh8QniHqyxLfNDNTHS:yGk1idXNCqyxLfvHS

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks