General

  • Target

    WinRAR-Archiv (neu) (2).rar

  • Size

    1.4MB

  • Sample

    240612-wx6snaydlk

  • MD5

    b7be5a5aae49f249ee312439bb70493c

  • SHA1

    d010a23cffeb011b63908fb793e31087f4ff35e5

  • SHA256

    8bdb5fc2e050c3ad42a6ec38b857a784857335f947c7894f5114945b15588bb7

  • SHA512

    147091fcea84428ba5a7577e4d032346bb400720763676d1a4dc307e0979d0176d71429c17e45025e4b5ec66943a55b59ee46fb260c1f855e600876b400372fe

  • SSDEEP

    24576:mHGe41ekIm2yi/shHPLWqbyBXqHm9KvOHVdW6X1WsUY068NA7Ue6oD:mHGH7Im2yi0hvLWqbDHm421dWxsv0PNC

Malware Config

Targets

    • Target

      WinRAR-Archiv (neu) (2).rar

    • Size

      1.4MB

    • MD5

      b7be5a5aae49f249ee312439bb70493c

    • SHA1

      d010a23cffeb011b63908fb793e31087f4ff35e5

    • SHA256

      8bdb5fc2e050c3ad42a6ec38b857a784857335f947c7894f5114945b15588bb7

    • SHA512

      147091fcea84428ba5a7577e4d032346bb400720763676d1a4dc307e0979d0176d71429c17e45025e4b5ec66943a55b59ee46fb260c1f855e600876b400372fe

    • SSDEEP

      24576:mHGe41ekIm2yi/shHPLWqbyBXqHm9KvOHVdW6X1WsUY068NA7Ue6oD:mHGH7Im2yi0hvLWqbDHm421dWxsv0PNC

    Score
    3/10
    • Target

      Bitmap2.exe

    • Size

      449KB

    • MD5

      e6fde1d03e517023456a524254a4ab1c

    • SHA1

      18cc63ea206412e6e95e930e3c907d9e4ccdc828

    • SHA256

      17c3a80b3b0b77c77132e17ae27372cf7f34bc2ffbdbdaa9026286fd04ced3ef

    • SHA512

      31a2f65c7b69da483c96bf0b57397ee318b1035dc165835b26a07e14918b5e02e4494a1f6552182fdb0ed8c2bf3adab4a899fb1716ec51b90d7875f327906d45

    • SSDEEP

      3072:f+0q7Do7FBdCGPVHzzgd2HPVVf9AebuLFfK9s7I/mkltK4L6INgDd9zqi3lhai6t:f+0kDUrak9gorrUq6ai3lx/

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      ColorCs.exe

    • Size

      356KB

    • MD5

      064731f13b394e422bd0efe9e90f4e11

    • SHA1

      7dad29243267bf00c2f2a471977f3414334d7e1a

    • SHA256

      c17a9219955b64f8787fc34f53391c921457307bc077419af0b848d64a4544a4

    • SHA512

      413a30376a28ff631a08c176370920726501f43bccaaf0e6cade769d0cee1a7cc48885e756978d8c41e43af8a5d62dde30ce8cefc40e3679f8c3d18d1083ed9e

    • SSDEEP

      3072:Qu3oxns7CGPVHzzgd2HPVVf9AebuLFfK9s7IaRxNgD6NZb5T9aaJQtF5HUkIG9yp:fYxqrak9gorux6Cht9eUkkht95Ukq/

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Target

      MS 0735.6+7421.exe

    • Size

      171KB

    • MD5

      b13850aceaf6c1ee66c61bc94135fa25

    • SHA1

      f23280f6bec2f097ddf77b97bb19b643a2c5a80b

    • SHA256

      ae2a43a7d58e9766fac59032ba1ecf1df7866ce5bc09b879c6bb111036789ed2

    • SHA512

      d4344edb6e4a460e162169e5621fbf851538c70c6489cca034d1600c3a9a677e8cfa0607e464ea8de3a22066928f540833bc10bf18ae3b1ec7e9147c0d3a897b

    • SSDEEP

      3072:GCmnJfQORyjZZcmGl40SWY6iEmoQVuMl:GlfQOGQcDVrl

    • Disables Task Manager via registry modification

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      RingHeads32.exe

    • Size

      923KB

    • MD5

      588737b0ad63cd1c3b367b6769f8f3d2

    • SHA1

      4f13cd9d31b619f95afa05325d61be54a7b0ba24

    • SHA256

      da6422cd3f07ce7379c0304640e20d4d0be8d3f7c4cb3f4c715b9e162c51dbe4

    • SHA512

      e6e0050e272378059845cc51199df2493245f0ebbc7ab5a2ccc1deea02cb37865b7003a1f903d6452ed1d1029c0a27bfd7cd8667d6565a563e08e869b7855f90

    • SSDEEP

      12288:eyXDNXQoPpYxmppnkuYDhpYwOccrgB3VNn4WcW73VG7Cjv/56VHB1EZZY45R9OZT:p5Dm8nCb9OrriY/y3Vxv/5i70Z/lMj

    • UAC bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Disables Task Manager via registry modification

    • Stops running service(s)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      TEST.exe

    • Size

      61KB

    • MD5

      1fc7057e3a64fb047aa9563f31b37523

    • SHA1

      20840be5360448889dc7d2a61b29d82ec7ff922f

    • SHA256

      e9e653de560c457f3955f7dbdb4384b3cb938fc800cbfa2d0f298d1d1ff4d259

    • SHA512

      14d1e60fe35bb87f3ee3202609b9505c7496633f0365f425ac2f9df4afa6d13b4fafa97f79a9fadb5e09c9a8cac7508bc17b249ba0d8633ac4220899ae11f623

    • SSDEEP

      1536:KEiBwAw/cGYQi1y2QNAx1FcLD12Qs7yGVd7Ulnouy8B+IR2Lp:8B9wUGYQN2XD6UdYoutB+IEl

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Target

      TEST1.exe

    • Size

      61KB

    • MD5

      17652b12276e49894bd809c94046c026

    • SHA1

      a11ead44c1a6d22cb76b48a33e86aff12368e7cb

    • SHA256

      a44f5ce561a6a1f40210df4069da321e8150092a2dd6d3d2189e3e13945cf66d

    • SHA512

      b0824d4d3cf3b8ad2ed8b58607f3cc10f70fc21cb841511598ead0847acdac73f631176dc1fa4c89b3c1383b19097c828d765afe0665b5b451d62de70f3b6b3d

    • SSDEEP

      1536:nEiBwAw/cGYQi1y2QNAx1FcLD12Qs7yGVd7Usnouy8yIR2Lp:dB9wUGYQN2XD6UdJoutyIEl

    • UAC bypass

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      destr3ktdows.exe

    • Size

      50KB

    • MD5

      411304a605b942a2f111831782bc5fca

    • SHA1

      e56ed02610f213390bf3e445a87e458f23f037ed

    • SHA256

      50deeaa3b874d665af30c6f574fe3715e7693636228d19f22c99dd43705373c3

    • SHA512

      f986e3a3ffbb7840f1c129ac99846fbee1b939b9addadc0b73ab6c1c39266d492af3f112d8f19b0e9662710afc33537766a490fa7f14d27c3eff0b2afea83d85

    • SSDEEP

      384:DvTTvzABJKYpcu3LlKeTmkm0xoQ8npKQD9DCN6D7zrt:Dvf7sJKYpcu33bxoQ+v5D7P

    • Disables Task Manager via registry modification

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      dhjfxtyyz0.exe

    • Size

      287KB

    • MD5

      bbc99b4ceb03acc5ee62058fd456da45

    • SHA1

      a64b4305b041d32d1f4701183ae02f495bbd9911

    • SHA256

      cdbec8af54e3f82ae6c1339abf33186ee47d8e0a320e9c2fbee8e5f2ac13d090

    • SHA512

      bd281d750d23b77ef4835ad2db8c03fbdadca3c52de412e27e843073f582a7e0020629bed140439863d36fed79a1f9b77ea4431440d0340258e69430c85cc88a

    • SSDEEP

      3072:JFWheprUakbY8QcSwQProQOrjOsGdMbnruHKO0qdYJOqKRoLIRR:MWrh6DQcSLTmrjOsGOb9O0qdFqKqs

    • Disables Task Manager via registry modification

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

3
T1053

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Pre-OS Boot

5
T1542

Bootkit

5
T1542.003

Scheduled Task/Job

3
T1053

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

3
T1053

Abuse Elevation Control Mechanism

2
T1548

Bypass User Account Control

2
T1548.002

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Modify Registry

13
T1112

Pre-OS Boot

5
T1542

Bootkit

5
T1542.003

Abuse Elevation Control Mechanism

2
T1548

Bypass User Account Control

2
T1548.002

Impair Defenses

4
T1562

Disable or Modify Tools

2
T1562.001

Discovery

System Information Discovery

5
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Impact

Service Stop

2
T1489

Defacement

2
T1491

Tasks