Resubmissions

31-07-2024 15:05

240731-sf8zxazbjq 8

31-07-2024 15:04

240731-sft6ratgma 3

31-07-2024 15:04

240731-sfmrnszarm 3

31-07-2024 15:03

240731-se18nstgjb 3

31-07-2024 14:51

240731-r8c79syfll 8

31-07-2024 14:46

240731-r5qn7ayejj 3

31-07-2024 13:39

240731-qx27kszhpc 10

General

  • Target

    Installer.exe

  • Size

    1.1MB

  • Sample

    240731-qx27kszhpc

  • MD5

    9819a03ffd0525dc2c67095ed032ee48

  • SHA1

    4d39fce7df80e6d8ed1d07670a614879dcf15695

  • SHA256

    74f36ce2089cea27236550f53c879258e279615c9815f905776fef84f4c4db81

  • SHA512

    336244a436c8f1a169f5a58c8c8e22f07a9fe877736b0d60781667fbe8e82ac8c72859dd0d096e2eb290fd10065af1ece22d80e778a363de924f55de32aa3966

  • SSDEEP

    24576:aw2nkacAuv0EkqjVnlqud+/2P+AlYOnet:aRnkr7nkqXfd+/9AlFne

Malware Config

Targets

    • Target

      Installer.exe

    • Size

      1.1MB

    • MD5

      9819a03ffd0525dc2c67095ed032ee48

    • SHA1

      4d39fce7df80e6d8ed1d07670a614879dcf15695

    • SHA256

      74f36ce2089cea27236550f53c879258e279615c9815f905776fef84f4c4db81

    • SHA512

      336244a436c8f1a169f5a58c8c8e22f07a9fe877736b0d60781667fbe8e82ac8c72859dd0d096e2eb290fd10065af1ece22d80e778a363de924f55de32aa3966

    • SSDEEP

      24576:aw2nkacAuv0EkqjVnlqud+/2P+AlYOnet:aRnkr7nkqXfd+/9AlFne

    • Detected Ploutus loader

    • Ploutus

      Ploutus is an ATM malware written in C#.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks