General

  • Target

    wps_office_inst.exe

  • Size

    5.5MB

  • Sample

    240612-kxwf5swhqr

  • MD5

    374f077b74762d300c35b62947d9738e

  • SHA1

    316f2577ac4e911543fc6fc1279034952d5f0f84

  • SHA256

    45ee781e271d0483d777a55544ccd44a9490ad26f533dc89816c068adb61ccb6

  • SHA512

    dc580db7a7d2cf4c4d3b24e5375762048d6feddd00f3201b7f2236634b6c5d909f6833056a82a318b15876a28de2aafa22e8e0d99c2960d1a3e15a02972dc60b

  • SSDEEP

    98304:3eF0/sAT4mGfckjASn3ZCto1N1BpxgTuiN54AR6K8OU/ha27:sSsATN+V3k0pxMkAR8ZN

Malware Config

Targets

    • Target

      wps_office_inst.exe

    • Size

      5.5MB

    • MD5

      374f077b74762d300c35b62947d9738e

    • SHA1

      316f2577ac4e911543fc6fc1279034952d5f0f84

    • SHA256

      45ee781e271d0483d777a55544ccd44a9490ad26f533dc89816c068adb61ccb6

    • SHA512

      dc580db7a7d2cf4c4d3b24e5375762048d6feddd00f3201b7f2236634b6c5d909f6833056a82a318b15876a28de2aafa22e8e0d99c2960d1a3e15a02972dc60b

    • SSDEEP

      98304:3eF0/sAT4mGfckjASn3ZCto1N1BpxgTuiN54AR6K8OU/ha27:sSsATN+V3k0pxMkAR8ZN

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Collection

Data from Local System

1
T1005

Tasks