General

  • Target

    Windows Diagnostics.exe

  • Size

    106.8MB

  • Sample

    240805-n2aa9avfqm

  • MD5

    6e4d314a4a60f6094cdfb71e22decbd5

  • SHA1

    da22ecbc03e635dd460f5c5510d1111028fe0692

  • SHA256

    871542defab5303bb9611bc92e01f6a3d183807fe2480442540f50c4a36481e2

  • SHA512

    c0c6a00407d8ba5e5207a10355ef7ac46d2e9ccf3a09ebbbc2441f7e8f3c594bc40a7430fd92cb87029c8c8be62c018b7e47ebc947799273f97a24fc2029630f

  • SSDEEP

    3145728:fCbiS6xjKcBa6R2qHO5izBVnG0iWMstB2Ox0ox3:62SWNa6HHCittieBm

Malware Config

Targets

    • Target

      Windows Diagnostics.exe

    • Size

      106.8MB

    • MD5

      6e4d314a4a60f6094cdfb71e22decbd5

    • SHA1

      da22ecbc03e635dd460f5c5510d1111028fe0692

    • SHA256

      871542defab5303bb9611bc92e01f6a3d183807fe2480442540f50c4a36481e2

    • SHA512

      c0c6a00407d8ba5e5207a10355ef7ac46d2e9ccf3a09ebbbc2441f7e8f3c594bc40a7430fd92cb87029c8c8be62c018b7e47ebc947799273f97a24fc2029630f

    • SSDEEP

      3145728:fCbiS6xjKcBa6R2qHO5izBVnG0iWMstB2Ox0ox3:62SWNa6HHCittieBm

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks