Resubmissions

23-07-2024 17:59

240723-wk4grs1hrl 10

23-07-2024 17:56

240723-wjg75svcla 10

23-07-2024 17:55

240723-whgvzsvcjg 8

23-07-2024 17:52

240723-wf3pns1hll 8

23-07-2024 17:45

240723-wbtafa1gpr 10

23-07-2024 17:42

240723-v97eaavane 10

23-07-2024 17:40

240723-v8625a1fpm 8

23-07-2024 17:39

240723-v8bafs1fll 8

23-07-2024 17:36

240723-v62dvs1eqq 10

General

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://149.129.72.37:23456/SNpK

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

azorult

C2

http://boglogov.site/index.php

Targets

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • UAC bypass

    • Windows security bypass

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (172) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks