General
-
Target
Playfab.exe
-
Size
270KB
-
Sample
240802-b4bwmssgra
-
MD5
f9123f72fa4e53a953ef0594483cca78
-
SHA1
fded2e71ec8ec6ab99fad2886ce2a4e4e982c740
-
SHA256
f8daf0a06a4d01e8fff7ed99e77c236b0cd4c12bbf9fbdd72dc5b342bc3b8703
-
SHA512
a61fb273da6d01209dcb9ac4be3812f9c101c510334fa9ae2ef46d977f12bc9c7d0807f1c455a27d4c7d8544caba2a729846adc7607bfb38b2857e4829c97ccb
-
SSDEEP
3072:0WifTgFbmk5G2nyd5/ZREeI8Y+fmWHfDUiESe:0W8kUk55oPEelfvH
Malware Config
Targets
-
-
Target
Playfab.exe
-
Size
270KB
-
MD5
f9123f72fa4e53a953ef0594483cca78
-
SHA1
fded2e71ec8ec6ab99fad2886ce2a4e4e982c740
-
SHA256
f8daf0a06a4d01e8fff7ed99e77c236b0cd4c12bbf9fbdd72dc5b342bc3b8703
-
SHA512
a61fb273da6d01209dcb9ac4be3812f9c101c510334fa9ae2ef46d977f12bc9c7d0807f1c455a27d4c7d8544caba2a729846adc7607bfb38b2857e4829c97ccb
-
SSDEEP
3072:0WifTgFbmk5G2nyd5/ZREeI8Y+fmWHfDUiESe:0W8kUk55oPEelfvH
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1