1a662d847f16850658216634eda7c98ce06b0c861017de16e8dc8ff12a412abe | Triage

Sharing

General

Target

spsetup132.zip
Size

5.8MB
Sample

240723-smwm6awfrp
MD5

c4d4604b7a7046ce120fa521c523afb8
SHA1

6a768435848ee0dc162272f30a86697218031914
SHA256

1a662d847f16850658216634eda7c98ce06b0c861017de16e8dc8ff12a412abe
SHA512

64e95c11790bd6350fd7e19e38bd7c4ae4ececcb09fea3baea94b3f582a49e8a276a54744dfa78e1d22b3bcf9b7c541863e5c441f920107c4cb1681aab8aa99f
SSDEEP

98304:7EjRykXXogQbChBxCJ1Uc111pLXlx4/iNsSnxuYr3lM5z6gVunIcPOqqV8PC+jp6:6RRXikC/UIbRRnl3lgznunOjVD85fkfp

Score

7^/10

bootkit discovery evasion lateral_movement persistence trojan

Malware Config

Targets

- Target
  
  Speccy.exe
- Size
  
  5.0MB
- MD5
  
  5ceba11afa3cb63e73320786dc0652ca
- SHA1
  
  d6d0971807f15b2c80d3164353edd00629c8ded5
- SHA256
  
  fdea8741ef3af7375ae7a10564b863a01b3646a8c427249e183646409f9166d2
- SHA512
  
  933d2b749e671745aae64fe29b0ec61c4070a3367f316fe78218e16ebcd3659f1ad46d17f543ac121d7c0c3140fd939b1aec0dca2883250f20ca69c00fe07c48
- SSDEEP
  
  98304:yHMNlpept3gSuDdFeznGkcBLwX1Pge/7yhg0:UMoptYDdFhkp7w
Score

6^/10

bootkit discovery lateral_movement persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Remote Services: SMB/Windows Admin Shares
  Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
  lateral_movement
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  Speccy64.exe
- Size
  
  6.8MB
- MD5
  
  ed1feb46b43c4b52b815a7572762ed6d
- SHA1
  
  0663ded285aeca6e7d95310df20a004034bb3e88
- SHA256
  
  e84fae9f0de05d8c3f67a21f2a10cbb842a75b1fc0eaf075428a934c78dc18cf
- SHA512
  
  6996b2f8bf0b15ee0f3c4f02f3b06a2f6f995aaa3dd52242e5bf94d783213a91d3d18046cf588b5f00e32a437d82ebb79700d374fc7f74d1fe754198fb04930e
- SSDEEP
  
  49152:7McPg8d3J5p6nMtHPpun99rNHjRo5xsU1wS5LCbStxqqzPEBKj/SUqUl/kgHmH80:8Ln05xsYAKjSVfCv8+2j2HAJ
Score

7^/10

bootkit evasion lateral_movement persistence trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Remote Services: SMB/Windows Admin Shares
  Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
  lateral_movement
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  lang/lang-1026.dll
- Size
  
  87KB
- MD5
  
  504d9531da2c668a22a8017d215bb24d
- SHA1
  
  14713f38be70430b4420a98f09045880e960317e
- SHA256
  
  1822c2dbea3b43a11026e5ce2c899bbc3fb720a2936a49fee27ad4689aa251db
- SHA512
  
  c23e45701fd6ebb5a5816c038e77be852ca25209b31a5b9e27f8263a0631cd4aa53c000b7d0595681d4eb3236b5e48a916dbc84d784bf6c9d9fbdf968606fe80
- SSDEEP
  
  1536:MysXNyTQZ8ppCNDFJlTMN1KK5Y+K+yY6pQm:UyTQZ8pYNDFJ41K6Yx3ym
Score

1^/10
behavioral5 behavioral6
- Target
  
  lang/lang-1031.dll
- Size
  
  86KB
- MD5
  
  b304ac34310f423175012e1275ed34a8
- SHA1
  
  46343affb1e510bcbb8042d923dc6123a2a0de00
- SHA256
  
  3ca644aff4ed66c6b9628f3303e4d423c7830e7eb53de6ae0aa15011ea6e2f45
- SHA512
  
  a19e57ace0a960a6cb6085801aa1a87e6044f02a5b532f40f59ef0181ccf04d9484deb090c2bd527bf5a6ba2d136c1d2a469511ed042b17e18feb72c461b5a34
- SSDEEP
  
  1536:h/sgoV2p/j1a2kZ/xC7M2K4CKtr1d55JUyY6pYP:egoV2p/j1a2kZ/xC7M2nCKtr11Jn36P
Score

1^/10
behavioral7 behavioral8
- Target
  
  lang/lang-1033.dll
- Size
  
  84KB
- MD5
  
  630e7b298fb8fb84168ba9f5f15e25ac
- SHA1
  
  0feebed05ca82779e7de0ed4ef5f245c40eb8e1a
- SHA256
  
  d28fdd31dfe2f4526db5ee0e4b8316d094c1488ec10099741ac1a060487de5a4
- SHA512
  
  21364605598aff28a04283714fb5ca1962b218c4466ed4889ec00d607f67b8d96a6af9964255fb869a4fe1fc1e1d461133367547583633ecbbeb55f3553fa6ca
- SSDEEP
  
  1536:q3/Xs6hyk2oj68ppCNDuROTMN1K75FlzyY6peXh:D652oO8pYNDuRP1KNa3sx
Score

1^/10
behavioral10 behavioral9
- Target
  
  lang/lang-1034.dll
- Size
  
  95KB
- MD5
  
  f6fb0b54cea4db9b7d54ab9543548a4b
- SHA1
  
  285782b237703580f6986208be82c4a70d5bf8d5
- SHA256
  
  45b0921c96fbfadf7cb14044a05d58ddf223e592f98081b50c66077bff2d28e2
- SHA512
  
  d6a0ae46bb36c0a93dfb1b271cbd05d9a69504342450dcbb377b687b14e0a4ad086553d415c6c269d36d8b708c49a887d4970aad587028739019bf055b77a649
- SSDEEP
  
  768:c0HZD89V9ehEPpbelZ9xkxX7YIFC20Jj1V+WOpOWogcAn75rMDym5hbmyY6pG3lC:c0tGoEh/XMIF1iVXeOpw5gF5YyY6pG0
Score

1^/10
behavioral11 behavioral12
- Target
  
  lang/lang-1035.dll
- Size
  
  91KB
- MD5
  
  85e26889c019974b9623931a2c3e8638
- SHA1
  
  f84738c66a9a6ee01782e35e45483041084df410
- SHA256
  
  e407fb143cb97482cbebd3cba0dff648315291bc918bdf3b72184a0fba8b679d
- SHA512
  
  3cb761fe14e67a8432cdd0a03a0bba45e166cbb83a35e62b6b44ace26e108ee3ff8b2b902e5dd136f25b16a4621b90a51936ebdc8c352ca08fd198cc2ce35a19
- SSDEEP
  
  1536:N50one96gI20LMEK2WOI18E5lHyY6pH9G:lne96O0LMjOI18kA3J0
Score

1^/10
behavioral13 behavioral14
- Target
  
  lang/lang-1036.dll
- Size
  
  92KB
- MD5
  
  51c2d6f028c80550d4202957f17338fb
- SHA1
  
  b2d9109545b0cb1836631c67a3a1ef0fe562f871
- SHA256
  
  efa7e21d9d7262a32984984e875eb10fd69caab7a358e4b63a35b6ab0304663b
- SHA512
  
  16e3fda4c87df7ed7eaab83464c2152e2701468a4fabb36733eae63a62ab3d04f11a69ed740fd69292404a2f57eb0b800ccc188ac6626f49f60d7395dd6a08e7
- SSDEEP
  
  768:g/oZ6dXKg7MiweK4szKDKHkpPq8sX5myhqAn87RVEym5VewmyY6pXhT:gwZmXKZ7gRqUNRc5U/yY6pN
Score

1^/10
behavioral15 behavioral16
- Target
  
  lang/lang-1037.dll
- Size
  
  75KB
- MD5
  
  0f414d18dd8176edd464cc50d5d2df63
- SHA1
  
  78f5346a65872ab07187162c2edcb6b87781b926
- SHA256
  
  a0b540ba56daba6e8baa9e7c5c37e2583a6cb6b559a47f6e746029fb19eaa49f
- SHA512
  
  e00b0e0f7d75b9fff70370a5ab23347c73e7a4c8cdb082419d113cd0f2369bdb549e8fe8680395aefc84ab1f33ca01302be1af72a0d729a732649dd955a81fac
- SSDEEP
  
  1536:ZRYvAPYKZBxS/Gu4nNaXi0s0IdVOaaLoU4giOLYp05hr87CyY6pT:kAQkBxS/Gu53IdVOaLrgioYOh8V35
Score

1^/10
behavioral17 behavioral18
- Target
  
  lang/lang-1038.dll
- Size
  
  90KB
- MD5
  
  885e783c4610091799fa49c9bcb8bd81
- SHA1
  
  d80d6b944711248ce218e60954d42b3a99a8f383
- SHA256
  
  8aa69744f39fbe127529316f418a31125cfc9b18595ed945ff11658ed7beae47
- SHA512
  
  7826d9e137e4ed7f9561857539eae3b6136a3bc517d59c6c55e366d45f80cf893542eca1574b9396666976193b8373d75a3c73cc6b5cea00f95543e531cf4f7e
- SSDEEP
  
  1536:KCNvs7jEQxHc94O7GT/L8dD9mvSlt6I8a4FNhcagvEE6431OZyr6PTWkGGm3xXHd:fNvskQxHc94O7GT/L8dD9cSlt6I8a4Fk
Score

1^/10
behavioral19 behavioral20
- Target
  
  lang/lang-1040.dll
- Size
  
  89KB
- MD5
  
  a78eb46037eb4f5479838c1a47755d08
- SHA1
  
  2ffc42d24b9026974f8f8d3c05a645eeccba5b9e
- SHA256
  
  525dd5abdd8f9be48ef07b19be2b99f78daa81f360b7d62cd6168e9101b30aa7
- SHA512
  
  63534b8f4019ac75237d8b4524e67936aedf6ca9bebe08ce0b80eff9ced0dab3cfcd95a5ee94a123181ec7af7c6f0c0fbaf24a1caeb1ff0a18f0d6641c1783de
- SSDEEP
  
  768:B5MEJ687CC2JiqiEvMJBHMBJknEY6ywyEGVP8XpPMGbwnpN2ym5BMmyY6pihWi:bnJqLiqnMJBHcJnpGVk555JyY6pQ
Score

1^/10
behavioral21 behavioral22
- Target
  
  lang/lang-1041.dll
- Size
  
  65KB
- MD5
  
  5735ae7df3676508c3bbe1aae4650bb8
- SHA1
  
  497bf1ead07f9a77317084047fdd236bb6a79536
- SHA256
  
  59ab270da6d8b5f2841dd30ac5003a2c68459d71e2170679874d6df62184c5ba
- SHA512
  
  9adf9e0fd069fe81b30396d6b4283d4fd983e2899e8b48160bc436d371a9fd885ae3726cde617b75c1ab40462802372890e5ef2b1b4e2178d7dd28207af8f2dc
- SSDEEP
  
  768:meqAndElilPdRUQ0NeLfmD13FK8Wv+LfGQTIn9ym5Md8myY6pTTh2s:rqAnkiZCeLeDO8WQ+P5MVyY6pws
Score

1^/10
behavioral23 behavioral24
- Target
  
  lang/lang-1043.dll
- Size
  
  91KB
- MD5
  
  bde1d8cdd23f7aa1dbc02ed583f0440c
- SHA1
  
  281346ad51c2e0794ea02afad1bde2670f0e714f
- SHA256
  
  65912cc466a8e38ce24f3c5145cf19ec012deec00750f6c39c6a80c8fab7e71b
- SHA512
  
  fd96505a829cb2a4eb0c662f98a3da7a630c3898cae7da3eddfb72193ee6104e4f9ffb6d50b549bbbdd5b69e2d75295a43ae60d1bc74ad4ddb3ea953dbdc627c
- SSDEEP
  
  1536:QIkJMtJUZftteEoCWVkdmtiPIe/3x6DBpmpeotaYBs8M7JuvXsELEj53DoyY6pqw:rkJsJUZftQCWVkdmtiQE3x6DBpmsotaX
Score

1^/10
behavioral25 behavioral26
- Target
  
  lang/lang-1045.dll
- Size
  
  90KB
- MD5
  
  eefebcae2d611001cec1f0e90dcf8ab1
- SHA1
  
  d4cafc39f9f551798ec928478d056ce2f1506cfe
- SHA256
  
  2d1ee163e5a0cacbd4d824899cbfa6f8ef7b394a84c65ce8a160ef0fadade187
- SHA512
  
  f6a08a036646a0f0ed9c7f78db692c27573996a8aec0083d4216ebec77c6b8cfc475b6ee8540f5569c6b540ba405351cf4777e248a041ad837d6464c1ce47155
- SSDEEP
  
  768:OiiX5Ge5fBU0ghnlCExbWZHF734DHoZX93IBt3CV2k8DI12pAnsg9Zym5hmyY6pr:OiiX5H5Js0CbWz7cIV2kv5gyY6pNF
Score

1^/10
behavioral27 behavioral28
- Target
  
  lang/lang-1046.dll
- Size
  
  87KB
- MD5
  
  99d1f6e9e19ce4c9ee831424496a2ad6
- SHA1
  
  3eabbf0094c5d23fb3db190b1c00e3e3ee6ba0a3
- SHA256
  
  6c391ebecb530ebe4129a0cda5e56d184931337b0c562e19f0d0cd347af7c59b
- SHA512
  
  932903fe08e5d48a87c2ed66725bb7f97db818b48fa02fa525506e41f0c4df3ef878fe13463a71d5c4bce0b08c4e9d5046a855d316614c24b3baad1cf4723147
- SSDEEP
  
  1536:dX75hXVxUNplMBs2TS0pCNDaw+TLZ1Kk56yY6pa:bjx22TS0YNDap1KEB3s
Score

1^/10
behavioral29 behavioral30
- Target
  
  lang/lang-1049.dll
- Size
  
  85KB
- MD5
  
  0f4d3aa61e9d5d7d7f6ccc6965b74c2f
- SHA1
  
  2f796d6ae6efb23e8e524757882c666e96e7b829
- SHA256
  
  c7892df5d292d80f5e498a41aba3ae22430d82386a6aa5fe616982c926da2ef3
- SHA512
  
  021bf38699b2db68741ef334003e0cd898a9c1ffab7d27854aba1d58c28c013da4094fd0ca377e846b8b31310a5dc8aae36befdfdc8bcf98945b2b3531b35f1e
- SSDEEP
  
  768:GhXQnH2V/a7h/ymcW3kwG+50eKet7Jxqe1X/pym5vT9myY6p/fh9:GhAWVwh4mG+5x5vYyY6pP
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Remote Services

SMB/Windows Admin Shares

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitdiscoverylateral_movementpersistence

behavioral2

bootkitdiscoverylateral_movementpersistence

behavioral3

bootkitevasionlateral_movementpersistencetrojan

behavioral4

bootkitevasionlateral_movementpersistencetrojan

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32