General
-
Target
RELA.rar
-
Size
2.2MB
-
Sample
240811-rx9gbstejj
-
MD5
57648e71ba18e28d1ba18f956dbfbb12
-
SHA1
d102b30e3bb6b4935397cb9774f95f42be632f00
-
SHA256
81dd16016d8301a2805e8d20a1ee1e054e3a4df00f1dec1b26d532ee8e8d4960
-
SHA512
c88d8100250c763742d62ed470c1d2b050fb53cc8d8971a5df9cabaca924f3a2c8e11f1906829de3ef4d391e260c8b906f28f5a43c9d22aeeed5de672cbaad53
-
SSDEEP
49152:rNhyiDKw/rKkius8ED0pd/JWE7F+us3/ldX4W52MUIlqzFB:5EEKyrziurED0p9JWE78u2XxlqzP
Malware Config
Targets
-
-
Target
RELA/CeleryInstaller (1).exe
-
Size
822KB
-
MD5
0bd82e264be214414d6dd26bac3e1770
-
SHA1
5325e64053dcf599a9c5cedec532418716f9d357
-
SHA256
60593ced1e78fd4b3fdffcd58bcde989d8e9b031b3ad9132815fdf614e0449d4
-
SHA512
842a80fed2286d06987cd2dde7ae94fc6c7986eb49cc62684f62f148973e5080df7866e1d2f81d53cb5ac95ef9d88489f6765265e29104be0ae349c6a3164592
-
SSDEEP
12288:c5SsIg0ZvkY29slOLJFbJZXM1Eg/2QAu4NRFNxIg0Z:Ru0ZvkY29+OLfzI2Q0NH10Z
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
-
-
Target
RELA/RobloxPlayerInstaller.exe
-
Size
5.5MB
-
MD5
3191d6165056c1d4283c23bc0b6a0785
-
SHA1
d072084d2cac90facdf6ee9363c71a79ff001016
-
SHA256
cbd127eca5601ef7b8f7bec72e73cf7ae1386696c68af83a252c947559513791
-
SHA512
ac0fa1c6e8192395ec54f301bc9294c2a13cb50698d79d1ca32db9d4deb4852e7607032733d721bc5c9fd8d1ce5610dd73b30b66e0302141377f263a3b7fa0f3
-
SSDEEP
98304:PvvnSTv4jyAjF0jl4kj4/5N6v1sgHqN1qlwlR4tcbMjh+1uGQOY:vnav4xFG2h5zgHqhlRpMjM1oz
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2