Resubmissions

07-08-2024 19:26

240807-x5kqtssfjl 10

07-08-2024 19:23

240807-x32xbswcnh 8

07-08-2024 19:20

240807-x2kawswcle 8

General

  • Target

    Quince_setup.zip

  • Size

    17.5MB

  • Sample

    240807-x5kqtssfjl

  • MD5

    14f1142ba2a969fb79ee60886aa89eee

  • SHA1

    7ccd15d2b1db1001c6c17550e7c3735494dd60a0

  • SHA256

    6edabaa1a35a493910bfa9e21bbc0ebe851cb631a2ec49d22c006109834426ba

  • SHA512

    73ef2830ea8e3ed332f4ec85833a8b497263fddd6bd1fce4d0885e37025ed89354543aa42406bb6e13bb6ed61cc05e429c7b09f19d8c7c79893467fa52f7c86b

  • SSDEEP

    393216:ASzkcQy8bkGWaW2dNcv0z6HbQ0Cdw8llIKV2vB5s2esHzQGncrq+p9:ASzkD3IYW2jM0z67Q3llICcOsHzQGncJ

Malware Config

Targets

    • Target

      Quince_setup.zip

    • Size

      17.5MB

    • MD5

      14f1142ba2a969fb79ee60886aa89eee

    • SHA1

      7ccd15d2b1db1001c6c17550e7c3735494dd60a0

    • SHA256

      6edabaa1a35a493910bfa9e21bbc0ebe851cb631a2ec49d22c006109834426ba

    • SHA512

      73ef2830ea8e3ed332f4ec85833a8b497263fddd6bd1fce4d0885e37025ed89354543aa42406bb6e13bb6ed61cc05e429c7b09f19d8c7c79893467fa52f7c86b

    • SSDEEP

      393216:ASzkcQy8bkGWaW2dNcv0z6HbQ0Cdw8llIKV2vB5s2esHzQGncrq+p9:ASzkD3IYW2jM0z67Q3llICcOsHzQGncJ

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

    • Target

      loaderV6/AcXtrnal.dll

    • Size

      84KB

    • MD5

      7a8363e16731be3c2c8e19d8cc09c55b

    • SHA1

      c91428381a21769b8b0d43ad2ff51ecbf4484148

    • SHA256

      74e806ec92105141400a92bd89b1dc17881df02a5014ebb421853a4ddeb90954

    • SHA512

      d580d64287ff24d410b47865fb328a57c034890f4f8d3185e50cc9d41523b97f35f088b917c73c4752676242d7bd0be5066e4ea8cef5563fa9c4081aa428bc8b

    • SSDEEP

      1536:kvR1FvU175th5AuXKoG1P7fTCUTj/y5BnJAGVrpXn6PO:U817R2JoEDTCUT+9JAGVrpXn6

    Score
    3/10
    • Target

      loaderV6/AdaptiveCards.dll

    • Size

      41KB

    • MD5

      43c11ee7a1d9f62c429972c07dd33229

    • SHA1

      c091b972937d18f9a52c4fd33188e4f3e401ccb7

    • SHA256

      f8e015de2e77647dcaa2d0e1b9b1ac284e9d987385b9947591813b4bd6796e32

    • SHA512

      cb9a76ae4ffe1c297bb81537efb14b2686f2a7c37dcce874d107d22b37bf28b34d4f0b2e29fd2fdb992dfb15dc583dce7c140bb8a4d20f0331bc93b26f6401c8

    • SSDEEP

      768:svEUgi5QYojjPIKg7yrGEw4zk/NF1IzZLrop4NVXldt1vZstPGck6jv:s8UgiW7jPIKeyrARNF+lu0JDvZsBGcks

    Score
    3/10
    • Target

      loaderV6/LoaderV6.exe

    • Size

      59.8MB

    • MD5

      122e5491ff7d692f2308b0f40e49e32a

    • SHA1

      03c00f1e743584409024e64ed2f216bce5dc2153

    • SHA256

      569668593ebaffc50c1bf819b3908416ab98959cfe3a5438d199360c172bd674

    • SHA512

      5d3b627e6b9d2531ce557e6bcd14326219227fc3e6d05c3e085a63f8bb3e6fff3f4a7abfc424b3885811dee600992a3dc0e213ddd4650b9275a3d1709e5f9e2c

    • SSDEEP

      196608:Yj1rr+exTfU3+e2J7crs+efUlT4E6RAEbIBOHtMxoXLaz5LbpGdYWtftJJoBOC2b:err+ceXiml9DoGqXLaz5XpGSWzoBw

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Target

      loaderV6/LoaderV6/AddressParser.dll

    • Size

      52KB

    • MD5

      09a620a0d09694d03bc8fd5d8b8aa819

    • SHA1

      a7db367da4c455f7b4e42e9055ce1ca58923bd85

    • SHA256

      381a701b27ba655a6833a02803a36aa6607904f6fb3c0b5530bacdf92f00da78

    • SHA512

      68f17d726ad6811fcd4487340dbe13d7d97d515fed967dbefaa6b52ffe26b13f55f682939d1425624f83068e1b75c05fc10a601a81f01805c97fc9feffcb33c1

    • SSDEEP

      768:WljQbhFMQUmxHqE3F0J0Q0K/SzFCe+VyDQc2gxpj+FrH53rNWiXI2Itp/zn:WV+fggKCFCe+Vdo2H7NWiY2It

    Score
    3/10
    • Target

      loaderV6/LoaderV6/Apphlpdm.dll

    • Size

      29KB

    • MD5

      e166daac460eb2a7a67c9a5a2dcccf1f

    • SHA1

      994ff138c195fb13d4cd3446ab68224b2c210a2c

    • SHA256

      09725c772489573d6b1489591ec1e0f580c5c1f650f82d0a112a44fc89842938

    • SHA512

      0605565ae013f5973a2946796a83c1484ada9dbfeeca0b379267e90037426ecf8932310a3f431cced44bba4c722fdb201ea865df91df0803246f9f73b287d374

    • SSDEEP

      384:dlPLo/0VIp747y9M+qzviYng+B2CLCB8j17fzWY9Wf0jgvnTEySeC:dZIp74glmviylJ17fXeCqVC

    Score
    3/10
    • Target

      loaderV6/LoaderV6/appidapi.dll

    • Size

      54KB

    • MD5

      9803723f2be4fb990b88b3cc883731c0

    • SHA1

      fb7b51ba3aff0df9bde338a28efaafa5e9520454

    • SHA256

      2827e2a738ad0337979739558e6da19a012dc91ecad863e594ff268f78e93575

    • SHA512

      34bdc8e091c6348d42699e7f21fe9c620d786b542dcc2542ef097a2d93d2fcc5e6a2720b3d13c58a488719fffa35a59b58ab4c35f6caca97a3d7aa4d57490fca

    • SSDEEP

      1536:SZWOik+pqC5ZflGtJmU32to/UdWxPwBs+zue0:SoqUtvf4PmU32twUm6q5

    Score
    3/10
    • Target

      loaderV6/acwow64.dll

    • Size

      37KB

    • MD5

      94e972f7e5f6662dece2c435047d9fa0

    • SHA1

      4f782489bd2cf9f3cf97a17dd2ab158d75022599

    • SHA256

      99c6d28b981552f92341da34deee0a4e0212bfb76f0d5b29711331ad47b9ed25

    • SHA512

      7c4dc945c9c69681cd72329696c9837d60c413bcc0b35429ebc3868bdb30b814e80ce36682cb97aca21130cfd963600631da59acbd3fe3de4fa1f735e16047c2

    • SSDEEP

      768:+6cW1qHGnnU5yadOKjGfDVoHOqAQG2gcwO6:+6c6q2nedO2GfZoHOqm2gcwO6

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks