General
-
Target
Malware with taskmgr.zip
-
Size
2.9MB
-
Sample
240806-2kbpmssgrn
-
MD5
a964aeb3e8cf59d3b8708af99731abf4
-
SHA1
77a9caa0eb747c0d5bba1d2b86dd13537516f849
-
SHA256
39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
-
SHA512
9109666afd9cb90a9ba44ef14a9914afcd7749169b2e4a04f6066f470a7a89503ddf90a21adeadd4dfd2056aa66854f99db532824be64c95bc0d94ad7439c79a
-
SSDEEP
49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESc:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win11-20240802-en
Malware Config
Extracted
cobaltstrike
0
-
watermark
0
Extracted
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\#DECRYPT MY FILES#.html
value='[email protected]
https://shop.linuxenc.top/buy/2</li>
https://search.linuxenc.top</li>
Targets
-
-
Target
Setup.exe
-
Size
12KB
-
MD5
a14e63d27e1ac1df185fa062103aa9aa
-
SHA1
2b64c35e4eff4a43ab6928979b6093b95f9fd714
-
SHA256
dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
-
SHA512
10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
-
SSDEEP
192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ
-
AmmyyAdmin payload
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Modifies security service
-
Phorphiex payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (1484) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2AutoHotKey & AutoIT
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1