General

  • Target

    04062024_0152_03062024_Quote Parts.zip

  • Size

    625KB

  • Sample

    240604-caqy5shc9w

  • MD5

    4274a6bd52ec6761e46537dddb53dd38

  • SHA1

    f4c2d6ce1305e39046365b03ac806a68bbff3d5d

  • SHA256

    0ebb8fde500f89a41864c8f8dd7e926a205c4a0ec3e914e25e5af61208cddc40

  • SHA512

    97188fcf2fafaa7aa3b5d0132c3c6fa0537228201205c2273b0451c63294e0ccf5bb1b45195269b8d14edd33747379e93e6d44248dfb174cf34d04511a735680

  • SSDEEP

    12288:SJVqSzdcQLcSakWa/CcS00ACwMAB5jYnfvrGRcBQPYNhfBr3O:SJ3ZxVakWlWdRBynfvrGR2NtBr+

Malware Config

Targets

    • Target

      Quote Parts/Quote Parts.exe

    • Size

      638KB

    • MD5

      bb0546305cb4aaa5a3c3021561122f8f

    • SHA1

      cc861fa754e8c23141fadb6c20a5ea9d1fa574cc

    • SHA256

      478cc499c5197c2905ca3138f9eb42a6c9e60d6692a7e01018bff9e3b3ecc4f3

    • SHA512

      2fdbff7174c346dccc8e252158bfb14c23c399ba4916b1f8280ea12890f20337aa2b6beede77e67b798c663619bbf2144749034bcbd2c30b04b101b6a53d3c45

    • SSDEEP

      12288:/qjUTScSzdcOLcSaCWaZC6S0+AmwMAvPjY5NvrGRapCPYNh1Br62:/qATWZlVaCW5qhRv85NvrGRSN/BrD

    • UAC bypass

    • Windows security bypass

    • Adds policy Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks