Overview

overview

10

Static

static

1

Pickles.mov

windows11-21h2-x64

Resubmissions

22-06-2024 22:27

240622-2dh55sxcqg 1

22-06-2024 20:53

240622-zpntnaterd 10

22-06-2024 20:49

240622-zl5b8stdra 8

22-06-2024 20:44

240622-zh4xastcpe 6

22-06-2024 20:43

240622-zhk47axfmn 6

22-06-2024 20:41

240622-zgtd6sxfjr 6

22-06-2024 20:39

240622-zfnsastbmf 8

22-06-2024 20:39

240622-zfa67sxemq 6

21-06-2024 05:48

240621-ghrmvstcnp 8

21-06-2024 05:40

240621-gcwpmayhra 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pickles.mov

  • Size

    3.2MB

  • Sample

    240621-gcwpmayhra

  • MD5

    07b8fab59b31c2051fd984770c3a0c9f

  • SHA1

    c5c538f0df6cd623904be651d9f8b37524009f23

  • SHA256

    10ee43270f9a89d833f8dfbef5ee304725c6922a12adeb65ec876e28e8149c06

  • SHA512

    810fd9247aa6bb735d52e754c09ae30e0de115711ca7a3b4ffbd2dd01473a2c2f48f6884bd70a143addd5c9afaf96f535217f4b57a151a17375fc54f547b80bd

  • SSDEEP

    49152:qkiSeTEQbR6yFrjL5vQN5wEdoAnQUR1T9OiOvMYmBTswaPg5aj3AOk02AMvGUev2:DQbEy1jlvmTQUFOtvMd5QjmFAMHcZyUU

Score
10/10
agilenetdefense_evasionevasionpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      Pickles.mov

    • Size

      3.2MB

    • MD5

      07b8fab59b31c2051fd984770c3a0c9f

    • SHA1

      c5c538f0df6cd623904be651d9f8b37524009f23

    • SHA256

      10ee43270f9a89d833f8dfbef5ee304725c6922a12adeb65ec876e28e8149c06

    • SHA512

      810fd9247aa6bb735d52e754c09ae30e0de115711ca7a3b4ffbd2dd01473a2c2f48f6884bd70a143addd5c9afaf96f535217f4b57a151a17375fc54f547b80bd

    • SSDEEP

      49152:qkiSeTEQbR6yFrjL5vQN5wEdoAnQUR1T9OiOvMYmBTswaPg5aj3AOk02AMvGUev2:DQbEy1jlvmTQUFOtvMd5QjmFAMHcZyUU

    Score
    10/10
    agilenetdefense_evasionevasionpersistenceprivilege_escalationtrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Winlogon Helper DLL

1
T1547.004

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Winlogon Helper DLL

1
T1547.004

Active Setup

1
T1547.014

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks