General

  • Target

    Nizelo Beta.exe

  • Size

    7.6MB

  • Sample

    240628-e1pj4s1cre

  • MD5

    7c4592a0898dd124d9f723a5409f0bc5

  • SHA1

    f015ec7e40802d92b75b16fb8474df3b2b7fb7e3

  • SHA256

    12ce04c210d438321f76049b5ad9e1fc09dffe8d460ead81d41ec1390ea6e27d

  • SHA512

    8cbbbedb3d1f7ec02781e0d52e658782fd540d5d7222250ea2ddca1d489a686622e628c68d58e8fd8c67c788a6fd603e089dbe6ec66cf4def0f240e842d06b47

  • SSDEEP

    98304:J/DjWM8JEClk1rBamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfFSpXq7eRaYKJJx:J/01eNTfm/pf+xk4dNSESRatrbWOjgKt

Malware Config

Targets

    • Target

      Nizelo Beta.exe

    • Size

      7.6MB

    • MD5

      7c4592a0898dd124d9f723a5409f0bc5

    • SHA1

      f015ec7e40802d92b75b16fb8474df3b2b7fb7e3

    • SHA256

      12ce04c210d438321f76049b5ad9e1fc09dffe8d460ead81d41ec1390ea6e27d

    • SHA512

      8cbbbedb3d1f7ec02781e0d52e658782fd540d5d7222250ea2ddca1d489a686622e628c68d58e8fd8c67c788a6fd603e089dbe6ec66cf4def0f240e842d06b47

    • SSDEEP

      98304:J/DjWM8JEClk1rBamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfFSpXq7eRaYKJJx:J/01eNTfm/pf+xk4dNSESRatrbWOjgKt

    • Renames multiple (89) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks