b58655503a5b1247394999eb674c1133a1886cbd670f831210fde9c81fd565ba | Triage

Resubmissions

08/08/2024, 18:04

240808-wn4a6swhrk 10

08/08/2024, 17:49

240808-wd3a5awhjl 10

08/08/2024, 17:38

240808-v7shcawglr 10

08/08/2024, 17:24

240808-vy135azfne 10

Sharing

General

Target

archive.zip
Size

13.1MB
Sample

240808-wd3a5awhjl
MD5

270ca907e16b6c7d3d2c4c65509772a3
SHA1

87623209e0aca83dc387eef5ebd09a467df20905
SHA256

b58655503a5b1247394999eb674c1133a1886cbd670f831210fde9c81fd565ba
SHA512

65a62469256359843756c184d5e759a3406400dc31d96443107d944a77f7a72a999a4de6d1744929ce854e6d6392b741bebc3988d1043dcb11b7f61e466f7b00
SSDEEP

196608:FiccpT7/3NLE6F99uyhpoegJ9uyhpoeg2ACobb4VjqdDtIpR3yEp79Yax:Y7/do6F99u4oH9u4onCtV/bPl

Score

10^/10

discovery evasion

Malware Config

Targets

- Target
  
  archive/AppFile.exe
- Size
  
  716.0MB
- MD5
  
  0bbd85dcd282a7fbe78c2ce3c97165ac
- SHA1
  
  e0e5a31d3ee971f0a7c98766d84c78bc3a31193a
- SHA256
  
  e682ed5c59779bc89389b243172f7f6b6372319820e8f65aefdd93c0a1a3be33
- SHA512
  
  3ac34ae372651b5b8a0ac41699633a969158505cd1e429d5312a052ba621bda2cb823bffb4d0333390a6c31a9407bb44b162997ee4348682732b09dc6d820da2
- SSDEEP
  
  98304:mSdaaItMOwNcT43nfPk4fqUgL0r+pOEMpDclH:7du6OE3fLXrbEyD
Score

10^/10

discovery evasion
- Modifies firewall policy service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasion

behavioral2

discoveryevasion

behavioral3

discoveryevasion