General

  • Target

    2024-06-12_17-25-16 (1).mkv

  • Size

    8.4MB

  • Sample

    240615-qaqj9svgpq

  • MD5

    da618ecc84aeb8b3ecff4917fdaef79e

  • SHA1

    39a7d35196627e1dec8f4183d98db80cf5e6192e

  • SHA256

    6d0d28599bdae5e1be654c7e452fb52f3c6db970c21ec5659397756f53502f09

  • SHA512

    af916975141ebbeb3f340d4d7f890dc910c2197eac92a5f7869c21f8348d665a2681e173eb148be29b16f4f99de11acf46d6e089dee747be6b36997352e21965

  • SSDEEP

    196608:lnFKfQM1EIl3cN8p7CldOqWqUzDuKpEfJQEjpXzj:lwL1EIyNyCOjbHuKEQEVjj

Malware Config

Targets

    • Target

      2024-06-12_17-25-16 (1).mkv

    • Size

      8.4MB

    • MD5

      da618ecc84aeb8b3ecff4917fdaef79e

    • SHA1

      39a7d35196627e1dec8f4183d98db80cf5e6192e

    • SHA256

      6d0d28599bdae5e1be654c7e452fb52f3c6db970c21ec5659397756f53502f09

    • SHA512

      af916975141ebbeb3f340d4d7f890dc910c2197eac92a5f7869c21f8348d665a2681e173eb148be29b16f4f99de11acf46d6e089dee747be6b36997352e21965

    • SSDEEP

      196608:lnFKfQM1EIl3cN8p7CldOqWqUzDuKpEfJQEjpXzj:lwL1EIyNyCOjbHuKEQEVjj

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

3
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Tasks