General

  • Target

    userassist-tool.exe

  • Size

    12.7MB

  • Sample

    240620-jn39yswhmh

  • MD5

    4f632fe72cf0db88f6bcc9555ff857ff

  • SHA1

    5de7916c3248c9da7e3572cdb42f3cc28eb76d48

  • SHA256

    1040a1fbb98532043ac33ce5bf11a5e493ab8cf7c7baa703a9df0166dda0cf62

  • SHA512

    02e2f60510a3ac5adc6fe78bb96c14ee2bca7b00504b8256e5c5c55836f7bf04e96f93f75981477117c404f89868c0f98a29f1b5f30c47e3f3305da61e003ea3

  • SSDEEP

    196608:lZFMT4SxZk98GseGJI1JgUZmKO1Cb0TeN/FJMIDJf0gsAGK4RFuozTp:GzZW8GsR0Jgja/Fqyf0gstFuCF

Malware Config

Targets

    • Target

      userassist-tool.exe

    • Size

      12.7MB

    • MD5

      4f632fe72cf0db88f6bcc9555ff857ff

    • SHA1

      5de7916c3248c9da7e3572cdb42f3cc28eb76d48

    • SHA256

      1040a1fbb98532043ac33ce5bf11a5e493ab8cf7c7baa703a9df0166dda0cf62

    • SHA512

      02e2f60510a3ac5adc6fe78bb96c14ee2bca7b00504b8256e5c5c55836f7bf04e96f93f75981477117c404f89868c0f98a29f1b5f30c47e3f3305da61e003ea3

    • SSDEEP

      196608:lZFMT4SxZk98GseGJI1JgUZmKO1Cb0TeN/FJMIDJf0gsAGK4RFuozTp:GzZW8GsR0Jgja/Fqyf0gstFuCF

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks