7d5a8384660b5dfbc3511ae32fbd44e18d59962088208e68820be3f2668a8547

Sharing

Copy URL

Twitter E-mail

General

Target

7d5a8384660b5dfbc3511ae32fbd44e18d59962088208e68820be3f2668a8547.zip
Size

16.4MB
Sample

240727-bz2w9sycqn
MD5

8f6fca06a7f1078ef3d25f12df90f328
SHA1

3b1f1f5fa1fd7ff8d20ed921bc4254fffdd3d179
SHA256

7d5a8384660b5dfbc3511ae32fbd44e18d59962088208e68820be3f2668a8547
SHA512

4adfcedead6448d3fa8cd850514a7af64ae9d3f135ed46583488b0b08fede183cfed03df0ba41c8b287b263b081d2584bb02f870a9de99bf282e631b1d7afc65
SSDEEP

196608:1LnvW0qF34+9uyhpoeg7ACobb4kjqiDtIpR3yEpZV4uiP0FefYNokwRX6S4SvtP4:1bO59u4oiCtKub7aJfHk46S4SNsB

Score

10^/10

discovery evasion

Malware Config

Targets

- Target
  
  File.exe
- Size
  
  760.0MB
- MD5
  
  22393a03928e311b2f200404636357c3
- SHA1
  
  1c588f2acf973303c19011093a03095cd234df1c
- SHA256
  
  f0b73251977c6ae98bc37a3c342327dcd45155e02198a5548d1a71c811d3dc9f
- SHA512
  
  1ff30e07a78fd34a4d043df5291bdbd53ee3ba86df3060cf57db29bd662f487bfb8d17e44a37a0a0e81f19ab8d1a5b094cd1f77916b48e7f3764627590d2c5e8
- SSDEEP
  
  49152:VHc+ANhKDW6GzT0FFg3prZKZiUq5eKK5ZqD45FHzoZswW:VHc+ADKDW6Gz42rpUxRJzM1W
Score

10^/10

discovery evasion
- Modifies firewall policy service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  updates/Cache_Data/AudioEng.dll
- Size
  
  1.8MB
- MD5
  
  074adb230e03ccdd7592aa91fd6827e6
- SHA1
  
  3a95aa2151b0c23e6733fbd538c927a54fcded4a
- SHA256
  
  e75a456c18d93a9bff731139e5dff0b7a92f2e1f5b7228274385c65a527a1f42
- SHA512
  
  2fb38a45bce2bd4cf2b010522e3f7173f2381481ca194edf05d6aec292dcb39b80a9564a0d197bb4949e9580f178582f9c3b1dc37d3fcce05d496f1da615644f
- SSDEEP
  
  49152:TAEM+CEh0/Rlhh9hhDhMLhhQhhIeCBR2U+8TB9DFRKPcMJmYoHFOjzdYes/QFlP3:7MX5hh9hhDhMLhhQhhC2sTB9DFRKPcMB
Score

3^/10

discovery
behavioral3
- Target
  
  updates/Cache_Data/CbsCore.dll
- Size
  
  2.1MB
- MD5
  
  4cfec4ad388bb464700229c41bbd0f9d
- SHA1
  
  9ec52429b0e758f4dbf25da66c856f4036204025
- SHA256
  
  079d43ecd7d3be041436f2d3f032aa0ed8603f6682465d6139fe3745a2625e11
- SHA512
  
  16b9a51709134601fbb55489366949ebf04ac37da8b578c02b8979d460baec73fcfd74df4a7a3778b2b780c74c34e0d5398ee6297f00192bf2580b699b199454
- SSDEEP
  
  49152:NqRcZBqfW5t7q6CmuIKMDtTvNx8Gg5YZ9jAMFAI3Qb:NqRcOfW5tJCHIKMhvfCk9jAMyb
Score

3^/10

discovery
behavioral4
- Target
  
  updates/Cache_Data/Microsoft.Uev.AppAgent.dll
- Size
  
  1.6MB
- MD5
  
  69cce5450675ea07e32f555f13a33971
- SHA1
  
  a71c3ecf616f2f34d0529f06d3ca648a7e368de4
- SHA256
  
  614cfeada30de1be92e377e74e54a8ad7ba829a7bf3137f4c70e0e05f0aa206f
- SHA512
  
  60839bc99c8c96bb9f3b82f058b55cf98c71ee1eb8df30417f0cb9f379dfa71e6ce2aadf922a2db6459569dab297155409b62ddd5b86d19ca244c4f34afcaaea
- SSDEEP
  
  49152:jcJ2ntB3qDn9BPBaa/ZEWHKt3gm+yAJ1rWz46+tUo:sEtl05RLK3I
Score

3^/10

discovery
behavioral5
- Target
  
  updates/Cache_Data/certmgr.dll
- Size
  
  1.9MB
- MD5
  
  c57abbb736050e8efc24f9a4829cecdf
- SHA1
  
  8d1bff10b4d5c35024ac0022ee819aa0b1d0f92d
- SHA256
  
  859519d057e0720ec3b9a743f8869c6354d3d67a2154bba6d6db2b4b9fd5aa18
- SHA512
  
  ecdcd427351d60923f27e3e1d05442ab0f5648340bdb0686f8256596186c418652eb277b332b9eb2ebeb82c753bd8e551004dfab7ae332a7e4033733bea679af
- SSDEEP
  
  49152:P1fjXbKWda6SyMMMMMMeMMMMMM53uXxU:PdMMMMMMeMMMMMMhuXx
Score

3^/10

discovery
behavioral6
- Target
  
  updates/Cache_Data/clr.dll
- Size
  
  7.7MB
- MD5
  
  3acabd94d146e379089e9a8c2acb1f97
- SHA1
  
  fc8ca36b973af120b6de8f8e0e14ac82bdd361d1
- SHA256
  
  570e97dfc58309972f06954944e161066b4da31c3ee7588792e6aa0d209b8c33
- SHA512
  
  d743776f8f91c6d1474ffd423ad418d513313f05ae4162b865f9686568508add84ed726ce7421f8d9cb69b615d211dfefca8d0d00f0d5d83834bbbc2c1ccc75f
- SSDEEP
  
  196608:Wccx3T6c+jCkne9LPUu58uxM3jwrIUtDyM/JEveHPP:PU3T6LjCke9gu5I3jwrIUt3E8
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  updates/Cache_Data/mfmp4srcsnk.dll
- Size
  
  1.8MB
- MD5
  
  f834ce3103c8a181b8bbefef6d10e6e3
- SHA1
  
  22aa525119af6ad080182fad70ff902c81df42fc
- SHA256
  
  312efcaa24698f3da62e04966f0c509aa9a5f795b1570410beb4b9a76251bb52
- SHA512
  
  0ab6513dc6ca75a1be71459c4bfd7f444c9eee5c4dfccda679cb2233a07c819074058da6978c9350758e2d16edfda74565fd685b1b76178b32ba9d5da976b7e7
- SSDEEP
  
  24576:1k6Hxm3XOBZOiAY9TU77o9pKT0QcukYXEz4NHw7oVLXubF60MB7vTSQ:1kfUOX776pkqukwjHZLXuJ5MhvTSQ
Score

3^/10

discovery
behavioral9
- Target
  
  updates/WsmSvc.dll
- Size
  
  2.2MB
- MD5
  
  20fa73336f39e968ac6d0367d681a97a
- SHA1
  
  f0d26d413135b302d411e287cd8427fd1f14214e
- SHA256
  
  4ef2431d42d2bc0fb1b1991ebbe7193f081b37502acba6e980b53db85b931b71
- SHA512
  
  f087c844f4d005160e60d4214f2737ed8e5d037e35afde1ffe32639f868053ac79bd3e92115f1a59f5de2b5aa721d3afe5da1fdc17532ae514939be0f7f453f9
- SSDEEP
  
  49152:r8mKFOm7t3UunAN7vzU0+4iclJJjEIMyjZJhEoouIiRNLmdO6+MNOVcge3JYoOlX:llBN5OijAO6+PeOl
Score

3^/10

discovery
behavioral10
- Target
  
  updates/dll/Aspnet_perf.dll
- Size
  
  42KB
- MD5
  
  f22ad2623cad6567abc6c8e865898733
- SHA1
  
  e3e72a26ab83ab3adce5ea83aa9de11f3621e2c1
- SHA256
  
  62e9c0825100ff5ebd93137d3be2466100d73ab3a1cc9622adfe54ec143c0c75
- SHA512
  
  2ca1ffcd0625b1e28775264c54e72c77525a8df9f40b7c5fdf8c046adc3b3940c0d99556f5e64e55f663cff74e9ca670c05409d1aa297a17ed1053302be4e5e3
- SSDEEP
  
  384:4juERoF5GbCOd6cZHlNTbz1pjEc04AJPrKrRKjvSn1WiRrWQXws2QpBj0HRN7qAt:5Ee6P6sl7gctAlKVVnnbXZ2qWF8
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  updates/dll/InstallUtilLib.dll
- Size
  
  114KB
- MD5
  
  fe01d395c4b85df8c426fc9620120ba8
- SHA1
  
  23348d42947a64efa5209b30e9b8a6264f4a990a
- SHA256
  
  4f10c0bd8d22e8215b02f092279abf7bb148cb1497207ec2ebab32662009b2ac
- SHA512
  
  d255211adb5fbf5cda875ad138abb064a7deedbed28f4e862df4fea962f84437c92a53dd18ed6d2098d0d9415d4a5ca80e39e9bc91b4382b01714d23f29615ea
- SSDEEP
  
  1536:dS8CWyksWMcdM4Bpjr+UsgtFmVrrXL1MgbIurgnOMolQbm8DhIGo0Uqc3:dS8SgMA+jVrrb1MMBnMolULDhImc3
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  updates/dll/PenIMC_v0400.dll
- Size
  
  25KB
- MD5
  
  be49782166585d455168eaff44274699
- SHA1
  
  27715f1c887f06ef10b387ade54f8bb3e5b867df
- SHA256
  
  6e1dc112a74c3149043136f847e21148c823d76fb3ed61b84d4a4e7e53bf527d
- SHA512
  
  d8d2dd196223c917d2d2df3a20dfe7cce814c8728b6bf7732195e085ed7744b3123842e0cfa3a1e65a7861976707502ff88fc39a5774884ae23e7cecc276987e
- SSDEEP
  
  384:OY4ItHJJdsr6jWXDWZ33PQpBj0HRN7aiyQHRN7I8Ilv23lmiWgJ:/tHvdsrvqqWaT8VlqW
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  updates/dll/PresentationNative_v0400.dll
- Size
  
  908KB
- MD5
  
  8eb5131e94f21644d5b10dce26057bf6
- SHA1
  
  73a5dcd44ee7810232a4e8f4563298ea14981916
- SHA256
  
  295d61d24fd1ce5a24eaf6b84e7895fe919439a14b26f04f863f8f0880e91de1
- SHA512
  
  5087a5b7aa1c454f4828965ec3c11f89bc92fc4302b74a39b73bd3a72da05896485185f165279a07bcb6ff042e2ff203b2921b4a50abb890f48f130d3bd65f37
- SSDEEP
  
  12288:RXInGdI8OPo2MRveRz9DcNU4P+oBXpKEALYAUekPJ4BFN881GCqh2:RXInGm8wMiD8TP+oBXpKzYAUPJ+X9QTQ
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  updates/dll/PrimitiveTransformers.dll
- Size
  
  62KB
- MD5
  
  3c7c0f531b18bfce88ba3e7d7462602e
- SHA1
  
  82a7cd2aacb4d1fa2a87072b0ef749d7fe523742
- SHA256
  
  b7fa74f9a083426bb33fba0e2294fe016e47cddec2eddcde4e34e8e620e54ce0
- SHA512
  
  1f4b4d8072ff0af1d70ec75b3d68a56837ce652dfac0afcf49cc9ad9ba70c804c6edc04a3c49e103fbe16dd7e5d53e74fefc0d0fa96b9e8c09b4d659de93541e
- SSDEEP
  
  1536:KrYtrnCjjolfyy5zCQjS0PFagP1pM3DSYmmPSwzoV:KrWCjjod5zCQjS0PFLrOezm6w4
Score

1^/10
behavioral19
- Target
  
  updates/dll/ServiceModelPerformanceCounters.dll
- Size
  
  88KB
- MD5
  
  5f8650c4e6f1edcc2f9c65897e1d0527
- SHA1
  
  517d5e510accfe39f19ec17f72409e14644394e7
- SHA256
  
  7be6193201bd73b63104a8700be69b82cbcd8ce42f63d3324ae818ad16bd131b
- SHA512
  
  6ebce11471a44c48407382df6d98b53a4e2971f4c83670bbdb68d7b35d825abcf3189889acf4434d292d84d27c6b6ef03f073658461a05e75abb9e3a02f9590c
- SSDEEP
  
  1536:3CYcjsWY5cdKgz6ZNJbSOaWvk0fqG73yfrcqOGO7AqEsl/dW4xQ6M6:3nc2oKLD+WMrG7ieAqEsllWr6
Score

3^/10

discovery
behavioral20 behavioral21
- Target
  
  updates/dll/SettingsHandlers_OneDriveBackup.dll
- Size
  
  101KB
- MD5
  
  4b87a8c6dcd541351dd8bba87ddde5b3
- SHA1
  
  98bc2c7088197b0ab4850ff9234f01416e1b1738
- SHA256
  
  0dfb42a0710a2ea77c98e23151de8eea771d919b34e043215e3824aa11015d9c
- SHA512
  
  b7b2abb35f4121a904a72333821a1f438afaaf55fdcfbcc028d0ddd2ee715ef57f2e0115d2d115a88eb6e4201d2733d783763640dec53262e9abb99d1357a8b2
- SSDEEP
  
  1536:eJ9I86WXlcf0RR3+k9lwDqmHpihUWhTlBSylX9jUqMoSavj2L0nYYpQ0c7lD:QjysRFDUpihzhTnSyfjeIb2GYyQ0QlD
Score

1^/10
behavioral22
- Target
  
  updates/dll/System.AddIn.dll
- Size
  
  160KB
- MD5
  
  99ab52bffee95e75ab15e81e4e68db8b
- SHA1
  
  514f87b20590ebc08adc5139bb35a4d3c6c24735
- SHA256
  
  b04b43743a8d56ce4f04b265ae0ece7185ca5cc2508feed6e7da071f97732076
- SHA512
  
  94943402e4de12af68aba08db030b8bfdb2383f13c2de65a17e4afc1998f479ef0cd97e4c12afb09f1cc0effb6ad1e8fa311a9d0191431daf0de3d011b95c09e
- SSDEEP
  
  3072:YP39d4oMwNRjZn1FZ6YVPAgBMhgGehPg+aR6NqOuw47wlQ9Gs6LWTsr5WsJbDUh:MnNRl7Z6YrKgG2g+aYNVuwi6LIsr5WsJ
Score

1^/10
behavioral23 behavioral24
- Target
  
  updates/dll/System.Speech.dll
- Size
  
  676KB
- MD5
  
  d04c846a1d4bb16e5e5e9a0fb10baf47
- SHA1
  
  7691c372b3c494671218ee5c8c56a6d7c53815b7
- SHA256
  
  000028670db2a67449efeaa1a6e96afe1124094bb6123144780c9eca19767b61
- SHA512
  
  6cd94765fa9ec73f570189e9aae8a900ceb19e4ad02af60f231bf258690869bc4d025a409094abb04dbb3ef8491741aceb641e41e3835eabb1d76f6afc5f2309
- SSDEEP
  
  12288:bw8dlh79UShP3eBN95w0rHhoynhl30DMYgukJnG/d/lFFZ1BvONX:Flh79US53O7bhl31YMG/d/jFZ1BvONX
Score

1^/10
behavioral25 behavioral26
- Target
  
  updates/dll/System.Transactions.dll
- Size
  
  255KB
- MD5
  
  6432dbab3ce97c10bb97ed564c3c55b7
- SHA1
  
  de77ed04fabebd78a407b662f6350d28956bc613
- SHA256
  
  99bf72b38e4d76005468eba64016049127d835b89b3ed7523d923a917b444679
- SHA512
  
  7111e2d1e53acb58796d29573e9a0c05ba947c5339dd1a97df31048b4d38be867a07c8078c7c925cc5c89d22531dcbf3ecef214dceb7dc6729d275d3a651c7b6
- SSDEEP
  
  3072:Lw9fJd/ppK6oxJ0uZlhX3OFwe09mbkyr8Ljca2cDL11rIo:gdhpKUuZlhHmwe09mhAj7tDL1R
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  updates/dll/System.Web.DynamicData.Design.dll
- Size
  
  32KB
- MD5
  
  b58d5ad34f57262b1aa9056791762f18
- SHA1
  
  067250e55daff11761dcf5398ea94b21d119caef
- SHA256
  
  6776fd7aa08170c1618acee4bb9af93e2b1169f253468b95c120ff5a5b70bb2c
- SHA512
  
  6f4df2d720c4a41f4de5ae2953032165c53d9e701417d0dc81c4eceb925b8127fb7f21fac0bd2306b8dfdf9373037e4d11376730449be85f1ded2b38ce8a5a20
- SSDEEP
  
  384:9IOtqjpiSDGsTz98jzk9g67KGhJSxUCR1rgCPKabK8tBX5PKytZ+pyW60W:zkVdDGc+k9FiJCW
Score

1^/10
behavioral29 behavioral30
- Target
  
  updates/dll/WMINet_Utils.dll
- Size
  
  136KB
- MD5
  
  3f39fd88760ba315975f19e45a30c62d
- SHA1
  
  50878ff5ff64cc3ea7cc7de86beba885e4052d26
- SHA256
  
  fc0f7db5efa34abc02b426f94b1d172cca3552e3c34ac0b9244d8388fc00f669
- SHA512
  
  73f64e78d02d47f1167f1d4ba93940b47aa5cf8537c9a59e70f59b539a1412c5596ce441d66287c3c9d9d6edd32f6971772dc7b5889e63b8b2b998f6fac0cbb3
- SSDEEP
  
  1536:/LjjjvCH9zzZD7eWjhMrFIwRNxFXEMxbm/demW17Nn7:/Hfv4dqFNr02m/dem67p
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Targets

Modifies firewall policy service

Suspicious use of NtCreateUserProcessOtherParentProcess

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Drops file in System32 directory

Enumerates processes with tasklist

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32