fd1ed2881c65f85e57a54789e4f65453184087394114f9e3b28e789dcbd0af32 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

MalwareBazaar.0
Size

641KB
Sample

240723-l2evmazema
MD5

2e0fe3570c788f57d46a5f77ed981785
SHA1

f23117619c29df8856b53ac803db319788eeedd1
SHA256

fd1ed2881c65f85e57a54789e4f65453184087394114f9e3b28e789dcbd0af32
SHA512

a582c5ab9ba5f8151ece20b4616c4ba6d53d262929816e1310bc3117c4a78fa901f5aba9daa7f6125ad7ebbdb27d8335bf35daf487a89e8864155ae2904f0213
SSDEEP

12288:XnI8+Xz3xVo4s07jwU/a3iw6qC7OTGztnQF8bBLTucaKAlR4N:X6j4V0t/fhYGBzZmnRC

Score

10^/10

evasion execution persistence trojan

Malware Config

Targets

- Target
  
  new order list attached.exe
- Size
  
  1.3MB
- MD5
  
  ccc431f7f61f9aeec3cab9f01352214e
- SHA1
  
  11d0637469bafcdca12f5591457f2c5e4ca1af56
- SHA256
  
  466a54d0b40dae3da963f52da4b2e993deca81ee39a2bb4b6d41582e5feff5e3
- SHA512
  
  e57c280f57b5aa72362b502c963179470efd6114ac5ee52cff59cc8cca83e5d453e27e55e2495e00ce2549b322dad2920cb75e13edd43fa35033ea2f9813b6a9
- SSDEEP
  
  12288:HNLn2J8+XJ3HPoYo07jsMZa3EOAqC7WT0ltDQFSbBL1uccKslJy:tLnsZAz0vZ9hw0ffZqlJy
Score

10^/10

evasion execution persistence trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionexecutionpersistencetrojan

behavioral2

evasionexecutiontrojan