Overview

overview

10

Static

static

10

tmplogmueij.exe

windows7-x64

9

tmplogmueij.exe

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    tmplogmueij

  • Size

    1.5MB

  • Sample

    240803-h5c9eswfmj

  • MD5

    fee7c379f3a555c5c821e872ec384a91

  • SHA1

    7346e2e29faddd63ae5c610c07acab46b2b1b176

  • SHA256

    1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690

  • SHA512

    5daecbea4102f9b6c431afa1d6d5bb196594e7c9640d7a8b388669268d737d6e4277797504a86169b410ccf3cd6e92e0c55065d15a495a398bc27607567d1497

  • SSDEEP

    24576:uSR66R9LwWCc9FFZUZVClJYkLbdf/nixuiO4DGDGW3628rKR1q+ClmJcpd++GMzr:uQvL9SWTVilyfMFo8D1b

Score
10/10
swiftslicercredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      tmplogmueij

    • Size

      1.5MB

    • MD5

      fee7c379f3a555c5c821e872ec384a91

    • SHA1

      7346e2e29faddd63ae5c610c07acab46b2b1b176

    • SHA256

      1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690

    • SHA512

      5daecbea4102f9b6c431afa1d6d5bb196594e7c9640d7a8b388669268d737d6e4277797504a86169b410ccf3cd6e92e0c55065d15a495a398bc27607567d1497

    • SSDEEP

      24576:uSR66R9LwWCc9FFZUZVClJYkLbdf/nixuiO4DGDGW3628rKR1q+ClmJcpd++GMzr:uQvL9SWTVilyfMFo8D1b

    Score
    9/10
    credential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealerpersistence

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks