General
-
Target
Unconfirmed 581740.crdownload
-
Size
6.9MB
-
Sample
240811-2pl16ssepr
-
MD5
30d7f52212fcdac3f6c42e167add87ff
-
SHA1
eb066058d43d59a0da50a5f7b1a908fff28e2320
-
SHA256
8a55127e468ac1c351487eb1199d3bf26818d6449d3e7fa4a9fe72425a43a007
-
SHA512
e3c6a63d5b7870493609e54e7e97b5e8f585d1562cc70738ce227f93cc73448426860dae8cd845eaa0c3d47228ffc941c465b657625c0ac044fd3a0c1b1bcdd4
-
SSDEEP
12288:HHmcHzIgWtlqs6IZhdXccf5vQ5/c+tqrrhVcUR1ve/2t66k47l5qi:nmIzIFt6IZDXccBQ5/c+tqrfcUrjqi
Malware Config
Targets
-
-
Target
Unconfirmed 581740.crdownload
-
Size
6.9MB
-
MD5
30d7f52212fcdac3f6c42e167add87ff
-
SHA1
eb066058d43d59a0da50a5f7b1a908fff28e2320
-
SHA256
8a55127e468ac1c351487eb1199d3bf26818d6449d3e7fa4a9fe72425a43a007
-
SHA512
e3c6a63d5b7870493609e54e7e97b5e8f585d1562cc70738ce227f93cc73448426860dae8cd845eaa0c3d47228ffc941c465b657625c0ac044fd3a0c1b1bcdd4
-
SSDEEP
12288:HHmcHzIgWtlqs6IZhdXccf5vQ5/c+tqrrhVcUR1ve/2t66k47l5qi:nmIzIFt6IZDXccBQ5/c+tqrfcUrjqi
Score8/10-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks whether UAC is enabled
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Network Service Discovery
Attempt to gather information on host's network.
-
Network Share Discovery
Attempt to gather information on host network.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Indicator Removal
1Clear Persistence
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Browser Information Discovery
1Network Service Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Query Registry
7System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1