General

  • Target

    Setup.exe

  • Size

    278.4MB

  • Sample

    240822-p25mtszhrp

  • MD5

    9dacbadf533162eee3232c6145379ad9

  • SHA1

    9829f28df6665d9151bbb220859793195b22eea9

  • SHA256

    7d16afe9c55f554a56e3e5475b7232aedfba3aff39ebb8f4000742a5a17011ae

  • SHA512

    1899f9f7ccdcb7a153dde45542ae7aaf7efea4a80378dca7bf5d9ac4f2528c1f96e39ddc16e297e24e9f43e42fe2caa805358ec858a6325ea0122de95ede80b3

  • SSDEEP

    6291456:1JFmXt8OwI1I7anuE5JMUmx12H5XnDjgeitIvWmNR2:Dct8ONIenuE5JTmxoZTjgHoWP

Malware Config

Targets

    • Target

      Setup.exe

    • Size

      278.4MB

    • MD5

      9dacbadf533162eee3232c6145379ad9

    • SHA1

      9829f28df6665d9151bbb220859793195b22eea9

    • SHA256

      7d16afe9c55f554a56e3e5475b7232aedfba3aff39ebb8f4000742a5a17011ae

    • SHA512

      1899f9f7ccdcb7a153dde45542ae7aaf7efea4a80378dca7bf5d9ac4f2528c1f96e39ddc16e297e24e9f43e42fe2caa805358ec858a6325ea0122de95ede80b3

    • SSDEEP

      6291456:1JFmXt8OwI1I7anuE5JMUmx12H5XnDjgeitIvWmNR2:Dct8ONIenuE5JTmxoZTjgHoWP

    • Drops file in Drivers directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      14KB

    • MD5

      325b008aec81e5aaa57096f05d4212b5

    • SHA1

      27a2d89747a20305b6518438eff5b9f57f7df5c3

    • SHA256

      c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

    • SHA512

      18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

    • SSDEEP

      192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo

    Score
    3/10
    • Target

      $PLUGINSDIR/KillProcDLL.dll

    • Size

      4KB

    • MD5

      99f345cf51b6c3c317d20a81acb11012

    • SHA1

      b3d0355f527c536ea14a8ff51741c8739d66f727

    • SHA256

      c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

    • SHA512

      937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

    Score
    3/10
    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      9384f4007c492d4fa040924f31c00166

    • SHA1

      aba37faef30d7c445584c688a0b5638f5db31c7b

    • SHA256

      60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

    • SHA512

      68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

    • SSDEEP

      48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      c17103ae9072a06da581dec998343fc1

    • SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    • SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    • SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • SSDEEP

      192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw

    Score
    3/10
    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      7579ade7ae1747a31960a228ce02e666

    • SHA1

      8ec8571a296737e819dcf86353a43fcf8ec63351

    • SHA256

      564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

    • SHA512

      a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      acc2b699edfea5bf5aae45aba3a41e96

    • SHA1

      d2accf4d494e43ceb2cff69abe4dd17147d29cc2

    • SHA256

      168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

    • SHA512

      e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

    • SSDEEP

      96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX

    Score
    3/10
    • Target

      $PLUGINSDIR/nsProcess.dll

    • Size

      4KB

    • MD5

      05450face243b3a7472407b999b03a72

    • SHA1

      ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

    • SHA256

      95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

    • SHA512

      f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

    Score
    3/10
    • Target

      $TEMP/Droid4X/vbox32.msi

    • Size

      19.7MB

    • MD5

      7f59758124f6927168fe6060e24aed0a

    • SHA1

      ce9a9b9b1dd64f23c2f49ca5eae63dbc00eaa18b

    • SHA256

      4db6e23f6a67d6dc8054f4132dcf5b366c9e2c24058b5bc7458cad62b5b6b1c3

    • SHA512

      557183c30e303f213b1d648cf348c39c7255b56fba231f6d1fcd0d20f37e78e2e21ae98fa21bf876bf064af9df58bdf6c81a596249fde8354ba556f8faf72333

    • SSDEEP

      393216:8OYMEV9Xi7Ftc/MoO3eg2/x3LpaqioutRmoVQnmvYFbpSuVy/dtOhqZ2DMn7:0r47FtckoOOT3aqPutsPnmvGSugP

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      $TEMP/Droid4X/vbox64.msi

    • Size

      24.4MB

    • MD5

      a70212c7b6c6508422f0ebbcaf28d30c

    • SHA1

      3b87727ee01d4021d25fcaca689aef3b81f8d449

    • SHA256

      71b3a3ec08233f7e8faddde27aad53b2fd541be3117be1b1992adda069c949c3

    • SHA512

      42482a4f50d21a9882d126186d31af9c9c84ecae1d8b750248b054ab40b88451e49d6ff047d63f3c4c8482e7a297b7cb0795046c39fdb5069175f43f5a0b2a21

    • SSDEEP

      393216:gFfY4jBbJDR8ypFtOwmULXuz7qBrRDp5nIlnsAA8kHWqP2rWZ7mObSk8QrCN1vhl:gJzJJDRxj71z6mrRDpJeyxHFr7Fg

    • Drops file in Drivers directory

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      $TEMP/Droid4X/vcredist_x86.exe

    • Size

      4.0MB

    • MD5

      5689d43c3b201dd3810fa3bba4a6476a

    • SHA1

      6939100e397cef26ec22e95e53fcd9fc979b7bc9

    • SHA256

      41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b

    • SHA512

      4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

    • SSDEEP

      49152:DQC7p7i0AY9PE1UJEfcnKiJ/K7+RIaCSi3haenvUvwwZDfimxQ02BhoZGxaJq8QQ:DLp7ilY9CQEcKz+kSixJvzwZeK2ggYK4

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      7-zip.dll

    • Size

      48KB

    • MD5

      f26d547ba386eb311269dcc9c8f5bc58

    • SHA1

      1d9a90037b5c0cafa7834907fff08b6030f356f1

    • SHA256

      8469c62689d0cbf6a6222245cebbdf93d00b148feeef89a44824db60deeb4e82

    • SHA512

      03c9f0fdc7082476b015bb3e91e2d38bcdf2cfae242c612d06e6c335eca119144105224ed342627a789e5520a197f6c9d7f2d21fb29dd032b9774664dc21dde7

    • SSDEEP

      768:amJDcy3s8FOA+GGOpVLBvGYSVFGJtJX4b4O7s5WvQZiDWa1ElD7whZK/CG:b2esjTGdWYSVsJj+4F5WZDWaClDshQC

    Score
    3/10
    • Target

      7z.dll

    • Size

      1.0MB

    • MD5

      e2bbe1d3fc7a945508c9c12dde0b0819

    • SHA1

      6b0d91885a482056b14e4f410a970bdfb7ea25a1

    • SHA256

      97a169f0fa3b447255475ac4dbfea935753c9f54e81a8a1563db84a2a38ddfc5

    • SHA512

      0672162ddec34c31dec9e1a6efb603283fac987f7ba90f0f271ce2d74094b33ba7ae4c81678d0c48f30d293b2b3241d9756c8ef6dc1338f6cbda7769f88b2ff3

    • SSDEEP

      24576:bmxEJAbl4UxkreWJvxrnpFwr7lGn3GgNiok2adu1tH+B:bJibl4USrewxrnp+fMH+B

    Score
    3/10
    • Target

      7z.exe

    • Size

      264KB

    • MD5

      c05e44965d82f5f2f887b9466760cbb5

    • SHA1

      c8e805bace4a7be9bc3498a31034f54909262f2a

    • SHA256

      1e3994903cde369371bb1d5fd8b410b05c74ead450f51a69eacd2e321cfa852b

    • SHA512

      771c71847c73ccab88a6fac667b4a12a658e0b121dd7b109cccbaca52b79798087f010c08a1258fd142ff52534acd6ce0304cf39268e80eede968dbdd71b81e8

    • SSDEEP

      6144:dEE/64dHsvO6xftbJKsUZ1RhINx23PMSEHYrPrD:CE/xAjftbgsUZexdo

    Score
    3/10
    • Target

      AdbWinApi.dll

    • Size

      101KB

    • MD5

      5abde136d977e153db425ca7c3134f88

    • SHA1

      3cea022946e98277a4f679603e95f14ffab9b177

    • SHA256

      86677a1ec3405204e945b21c4dc17bc2fc5dab9b2d7cf5f61f0817f17ba47d83

    • SHA512

      e0d335c06de88493aa0c4a03c2cc6eed8283f5b34c5a0f0ad39a94aa375ea869a14d87bd2539df14f3c1819a876c855dc646845db8264b46569a5dc4bda86f9d

    • SSDEEP

      1536:bpCxybY0FS6MqS6WvgD9xj03TabrFvY5J6sCGt+iM:bpo0k6ZWVTaif6sCG+

    Score
    3/10
    • Target

      AdbWinUsbApi.dll

    • Size

      66KB

    • MD5

      0062efdd212ff77216ca12d22b356f59

    • SHA1

      440e31e18f2084a2b4b5445b04a6b39a58d9032b

    • SHA256

      d591417e47274ed83865a94a866f742856c75e1e70b5d9422da3fdb8f82e8894

    • SHA512

      f78360b5a46ae8fe82fc8573145417af61baf2be4e27246d9bb389f476c6f61217f4c10341daf34c0049e25f4d53ac4253cfb0476a991f3ae54a8013f1267699

    • SSDEEP

      768:tLNk0yiFYWkgALpW+QvSugX0wUepQNXTQXdF+Q+An70edrqqOkIWyIELgr:8yY8wugEwOVEXdz70e4gIrsr

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

cryptonepacker
Score
9/10

behavioral1

discoverypersistenceprivilege_escalation
Score
8/10

behavioral2

discovery
Score
7/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

persistenceprivilege_escalation
Score
6/10

behavioral18

persistenceprivilege_escalation
Score
6/10

behavioral19

discoverypersistenceprivilege_escalation
Score
8/10

behavioral20

discoverypersistenceprivilege_escalation
Score
8/10

behavioral21

discovery
Score
7/10

behavioral22

discovery
Score
7/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10