7b9a0fd990959dfd15a879bbffd13d4959b9bdeecf6831b91b8ac02d72e9bba5

Sharing

Copy URL

Twitter E-mail

General

Target

Tips_n_Tools.zip
Size

170.5MB
Sample

240802-1btcna1cmm
MD5

f9adceb283b20ff987be7d3c8e65bb80
SHA1

83df016b52f818fd188a7b756782b0b6e6db80b4
SHA256

7b9a0fd990959dfd15a879bbffd13d4959b9bdeecf6831b91b8ac02d72e9bba5
SHA512

b04257f5747b50ac51e2ef94ac695331dd6e77c3168c0e4ac3fcec892cff6ba6ad2923261a6db90f367c7d55937fc23e025f59f8fa80bd66812975db79d30784
SSDEEP

3145728:KLH08V7hwmN0uEyiUSJCIyzi74Ut3rw3GcOot5tICTP5SucTBZ8qxB+J+Z2ifmRM:KLH0m7hwmGuliUSnci74UVrwtBtbICLA

Score

9^/10

Malware Config

Targets

- Target
  
  Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.chm
- Size
  
  24KB
- MD5
  
  411e4fba3110e963a85ceaf46e8cedd2
- SHA1
  
  4272eb5976e951c448fab798f7b1fb0437f8f148
- SHA256
  
  63606a5617a62060a2894904bf28d53f9f80cbe7b1be885cec114173d054767c
- SHA512
  
  c8cdb839b6a49591a64a949d8602ef14703d47a7c90b300db9a4b64fd59a8e3b3e6ee6f4881732a05ff480fc23241848cc99852733e1049da5342b7b4e176ce4
- SSDEEP
  
  384:9TXSD100stETnEaqFqFWWreTy7H9CluSY1t5A2Xzo:9TCDWtEL8Fy0yH92zY1/A2Do
Score

1^/10
behavioral1 behavioral2
- Target
  
  Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.exe
- Size
  
  189KB
- MD5
  
  5c1729d2611fdcaeeadd238c1f0427c7
- SHA1
  
  ddcfca0994cc92783d6a942075166f026c88ed07
- SHA256
  
  95e50f7eea21bfed82a34a24bc5d66029146c7b988e889b11f30b45cb364dcf1
- SHA512
  
  47c608e0590e1f73c32a0c677f9b81738fb188b27243e99d514911158d673f18ae7ef99ea897e87c850c5588eae19e3d6ae8736e0a974dd51f438f5190e362c5
- SSDEEP
  
  3072:3FSG80yvkmcA4bEvLhWoLdpxgZZapW9T8iXcWWbgYrrzwKeugTedajIHNNSP7g8x:fyvkC6EvLhTLdpxgZRbWJdBHNNSd689
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral3 behavioral4
- Target
  
  Spoof Instructions/Spoof Toolz/Reg_Script.ps1
- Size
  
  2KB
- MD5
  
  f6ec4049038befa3c34026fd383724bb
- SHA1
  
  0a743c7be9b7e8205521c2078fdd2be0fdb4d699
- SHA256
  
  f1fa0460e67cd95216cfbd860508ca0ce5b781b0f2e3a62eef26fdf5a7903389
- SHA512
  
  8282e1db6270aa86f949d5c2ecd5a9c7a1b16d2c168a66d728555b0871be7cb5bd5f62aac009466f6b7023492af79ba012ff9d884f10de4688795dcf5226a66f
Score

3^/10

execution
behavioral5 behavioral6
- Target
  
  Spoof Instructions/Spoof Toolz/VolChange/ChangeVolID.cmd
- Size
  
  1KB
- MD5
  
  ca66f9da8e62ffee52071d1570bd2442
- SHA1
  
  0be16f861635f92d830b6546d299ba785ebbe9a7
- SHA256
  
  90f5849cac1ef0a43566b8533429c751045fe1ace4ee48f23be7094b9019de86
- SHA512
  
  5839d662153c3f6ac1278f168b885cd89715e526912abbc7925c204d0e92d308f5b7298e25a5669fb62f769e9bca759f926a02fd96b82de3510f22cac18b8b2f
Score

1^/10
behavioral7 behavioral8
- Target
  
  Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid.exe
- Size
  
  228KB
- MD5
  
  4d867033b27c8a603de4885b449c4923
- SHA1
  
  f1ace1a241bab6efb3c7059a68b6e9bbe258da83
- SHA256
  
  22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3
- SHA512
  
  b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702
- SSDEEP
  
  3072:OgfbRmDIHA98kK2WndTslNac+dA6YdqhsXCNZpp4GIoHZUFozD3zgJwDmr9u76v9:OSCgkKdcg9vCoaoMpcto
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid64.exe
- Size
  
  165KB
- MD5
  
  81a45f1a91448313b76d2e6d5308aa7a
- SHA1
  
  0d615343d5de03da03bce52e11b233093b404083
- SHA256
  
  fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
- SHA512
  
  675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
- SSDEEP
  
  3072:PngbfXWm18pX82lOl7NuT7DLM5Weo5UFs5QM8JwDmtFk1glurXEa:/gbfXWVoRNuT7DkbFsKM1glI
Score

1^/10
behavioral11 behavioral12
- Target
  
  Spoof Instructions/Toolz/Activate Win10Home.bat
- Size
  
  102B
- MD5
  
  98e0c5096286b68558b45e94a0ef0336
- SHA1
  
  d04429e487458fba3e41ca254de6ad7b172b9bde
- SHA256
  
  6cdfa0180668b23a2442a2cde84b5a3044aafc7c68c14d2ba080b4475ceeaf79
- SHA512
  
  c66fcb12965f42c2422adbded3d4789842942175d4f458a3229580fd2c017baa8d28fb0242913ca47049ee829aee82e3b0b703591c235fc7e0a52ee10546b7f2
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral13 behavioral14
- Target
  
  Spoof Instructions/Toolz/AnyDesk.exe
- Size
  
  5.1MB
- MD5
  
  aee6801792d67607f228be8cec8291f9
- SHA1
  
  bf6ba727ff14ca2fddf619f292d56db9d9088066
- SHA256
  
  1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
- SHA512
  
  09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
- SSDEEP
  
  98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR
Score

5^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral15 behavioral16
- Target
  
  Spoof Instructions/Toolz/DNSBench.exe
- Size
  
  168KB
- MD5
  
  04177f89fa23b9d6fec146d9be737566
- SHA1
  
  b95ea3c6094affda5f05110d1c0ae6daa56ebc2b
- SHA256
  
  a1375a7ecbacf70efd3d54c7ec3c1ceae7166ad1c723b390ac78d7a3e1b19f92
- SHA512
  
  75244f24c1d3710e7eb292d72fce0e276143f6302d02edf22db484be21cda52f74166fff3e511a734de1b1b77c18d0ddf9776586d8e102d5f9619d7011c1f3ad
- SSDEEP
  
  3072:5Sww+ICvU0Qv8Z9yzvSh3gzaDKzHDa4cn2qTWM9gbYfOheIB2:5SwwPC08CzvSh3geOzm4cn2AWM9gbi
Score

7^/10

discovery
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral17 behavioral18
- Target
  
  Spoof Instructions/Toolz/Defender Control/Defender_Settings.vbs
- Size
  
  313B
- MD5
  
  b0bf0a477bcca312021177572311e666
- SHA1
  
  ea77332d7779938ae8e92ad35d6dea4f4be37a92
- SHA256
  
  af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9
- SHA512
  
  09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8
Score

3^/10
behavioral19 behavioral20
- Target
  
  Spoof Instructions/Toolz/Defender Control/dControl.exe
- Size
  
  447KB
- MD5
  
  58008524a6473bdf86c1040a9a9e39c3
- SHA1
  
  cb704d2e8df80fd3500a5b817966dc262d80ddb8
- SHA256
  
  1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
- SHA512
  
  8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
- SSDEEP
  
  6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Score

7^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral21 behavioral22
- Target
  
  Spoof Instructions/Toolz/DelUSBCache.bat
- Size
  
  456B
- MD5
  
  0b78043bbd61d3dccdda385de5507388
- SHA1
  
  b14f47b3d6df6e07ff6481edfb9375b9eaadf58d
- SHA256
  
  723f533c2c7dddecaa68cbed2add9424d3cd1e79483e9e051fb31c7da7b8ab3d
- SHA512
  
  51d37db0babb1133f78c27953ffbf7632c8a4c1795d10d48ac8b2e7e84dba4fd574e9ff776d5dcd70442804578538b366e91d3488eb36151d6f5d4f3d63b8a87
Score

1^/10
behavioral23 behavioral24
- Target
  
  Spoof Instructions/Toolz/Free Online GUID Generator.url
- Size
  
  248B
- MD5
  
  0d30c5d224810b87ee5a4b67c6bee37e
- SHA1
  
  4c2f79589eb3f228f25840ee5957a4402cbb0b55
- SHA256
  
  2d6adb30c23ec0b672856b7d1bd9f8a5a2d59e5d01c218c99ae98d7417cf7a27
- SHA512
  
  03dd852110635a055ebde5fb7950eaaf0ab6b2b8239f0c7af09bbeef69d44e400d2a19234868e788662d944c9f6f293e1c4490b9d73a473051c4356a6b0ddae5
Score

1^/10
behavioral25 behavioral26
- Target
  
  Spoof Instructions/Toolz/GeoLocation.bat
- Size
  
  1KB
- MD5
  
  9b5aedfc8cd2493803737f542828166a
- SHA1
  
  6abb1d991cea9cccdb7a08082fc9c22ca32baab1
- SHA256
  
  5f8ba3ee3267ae4174c21eb587d711a0eb123a5681e4387dc02f0a5b1bc3bd1c
- SHA512
  
  e7413a70df5dd13b4c7dfc94b26e7a8b4d267b926720c6d7b7e8be90a0d53541dbf938a5cab61c0c6db4a109d47af8a9c935494f0ae5fa195a9b004683924a1e
Score

8^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral27 behavioral28
- Target
  
  Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
- Size
  
  23.7MB
- MD5
  
  04862d6db6cf3fe0fbc8aefb3f711952
- SHA1
  
  ac9442e75bd6ac39456f9114d62752694497cf44
- SHA256
  
  062629714716129610709d15bb2a8fac436ccf28b2eb3e67c754b1ef0a1d92d8
- SHA512
  
  28cf9f58ec69d227110c803dd3ad6528efcf837cb1ae664e2c39c11052e4998b1af272045e38d14207b9314d0a6de889877c713924f40b274ba46092b351398c
- SSDEEP
  
  393216:5X0sRxCa14ApBLHWIWhkvEcrfp7uSIWssp35QVGgYGHcMenumG1RIYKj1SN8Ojxi:SuCmLHRdIWsBGA8imG1RIYKj1SN8Ojxi
Score

6^/10

discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral29 behavioral30
- Target
  
  Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
- Size
  
  318KB
- MD5
  
  bcd6161b343dc8720e162a767f43cef3
- SHA1
  
  b9e93c755a04407b14998cc3a3c0daa6b01bb3eb
- SHA256
  
  ea0a403721dabdf04450c835667facc68a5434989263bea3701de6c9eb784a4d
- SHA512
  
  7cf62ce9eca4405c75f6e8db0b025bc7075fdb52e95e74e27c6910c9ee3c738ae457b0eadfa5f60f3378b651f6a3cf7fe12a8c261fc9822da782606eb4b3e4bb
- SSDEEP
  
  6144:wEUX9TD12SFJs/Sqh9gfvVSYi7oVG8mmJdn6:wEQBs/SqhW8YwP
Score

6^/10

discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Enumerates connected drives

Maps connected drives based on registry

Checks computer location settings

Checks computer location settings

Unexpected DNS network traffic destination

UPX packed file

AutoIT Executable

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Enumerates connected drives

Drops file in System32 directory

Enumerates connected drives

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32