General
-
Target
app.bat
-
Size
17B
-
Sample
240620-xllh1swhnq
-
MD5
0b9427d56320d1f89c3914cb454d28b1
-
SHA1
db5886c6a1729c4358ddffb6856d70b18349f982
-
SHA256
3cdbe34a17347c64ca109be1af4fb993e02c4f0449fe4aca88a28aafc372b440
-
SHA512
d0fa0bf027cee5798b3a19100bd58f8d0abb422e3f7d00b8aa019eac72ded7926a28d3eb50db80fe8325da1831ada73a63580ecbe00f7cd5ca860d5e5a9f00b1
Malware Config
Targets
-
-
Target
app.bat
-
Size
17B
-
MD5
0b9427d56320d1f89c3914cb454d28b1
-
SHA1
db5886c6a1729c4358ddffb6856d70b18349f982
-
SHA256
3cdbe34a17347c64ca109be1af4fb993e02c4f0449fe4aca88a28aafc372b440
-
SHA512
d0fa0bf027cee5798b3a19100bd58f8d0abb422e3f7d00b8aa019eac72ded7926a28d3eb50db80fe8325da1831ada73a63580ecbe00f7cd5ca860d5e5a9f00b1
Score8/10-
Drops file in Drivers directory
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Modify Registry
1