General

  • Target

    wind.zip

  • Size

    76.1MB

  • Sample

    240823-q6n2bazfrl

  • MD5

    4aa2b25c34598686852bb68a29ba1f2a

  • SHA1

    439f19c37c2a2b66fff5f8db9ea66e21e3176e86

  • SHA256

    3e99e305c8adcbf3b1068afcc123a12d3d6c7c15f9e242aff1598e96008983ef

  • SHA512

    9b0ec34565f52498c9ec0edd7c8931c49dc6b970b1e7ac6396ef6ba200195dc4dcaf7fce83604dea2909f01aba162110e0ba540a302dddfab8096d418252b3c4

  • SSDEEP

    1572864:4/VnE+mphoLAJzEYHC8L5S9n7ThSQukcywbRWVwxIKyXn2L/fmpFK4U:cVn+Pk8q7tRp4bYVwixmupF0

Malware Config

Targets

    • Target

      wind/Windinject.exe

    • Size

      79.0MB

    • MD5

      6167f9f62a50b89b5d1d980039bbc387

    • SHA1

      185cee450e86be4b4b97642109bf4ecbf0411929

    • SHA256

      00ddd17fc113fcca57da61267e5cb8b762db0675aaf4afa7f7870c2474b39e05

    • SHA512

      c8b881429819039a4385d0a96ed703604ed402247dd6d8229d0a0b9a267aeff4d19b21a86bf4d86a042f53eb6e232e54f82e6e621bf8a0230e0119872821b96f

    • SSDEEP

      1572864:XvxZQglV3mWMSk8IpG7V+VPhqCMNE7TlgHtqiYgj+h58sMwt9z81cJzi:XvxZxfWhSkB05awCMkeNE5R9zni

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Target

      wind/libcurl.dll

    • Size

      546KB

    • MD5

      2024156665356070ea193498d076ea7e

    • SHA1

      304fd6c02e788ce55404560e88ecc45d78961d1f

    • SHA256

      815e4160ca9fcf4f6bf2b44b004a35cdb5988103d1204102eb7320ce2146a9bb

    • SHA512

      dec6441fe2fe25e5c2bce8f916d58d3be2bb218f2e82d27e346bce5100caac239c484f4e10f0fdfdc152fda209b066ac04d89b62bdcbe5cfe0393734beb16962

    • SSDEEP

      12288:TIEuXoN7eLmPPIy/KN2nalkLPrEOkTR1VcTo/w4l8DJCLd:EEAoleL2PIyyNrlkLPG1VcTo/w4l8DJs

    Score
    1/10
    • Target

      wind/pythoninstaller.bat

    • Size

      1KB

    • MD5

      dad8d6aee0ee58923d05305efda0a068

    • SHA1

      894682e0094c4c897805877747474e472214e92f

    • SHA256

      f283642cc82faf6a70926ac4509cdff0a18b05949c8beb3bcbf19b5eb12b9acb

    • SHA512

      6b167d0752dbfacabddcf497c558190414f2d5b68bcfdf6e7244c1768b0e972a96f43bff8bac238366eef1712cb631fe37165e764424f69c5f03ad45a829b1a5

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      wind/xxhash.dll

    • Size

      45KB

    • MD5

      fd4a9c28c2b7b7f7cae985eed789f0ce

    • SHA1

      44b51dd9a141f3dfcc090549e6c90071f8b55fb4

    • SHA256

      dc354e7ea9046cadbed8645e4666975a523463500c877574f8e8306d958b7304

    • SHA512

      b3ae3d523a1a2de93f05cfa856ac6984d444ee5180f862f0046be3acd02fb499400909449c7e47f764aea2d7d3863e42c7029b0cfc8803b79a91c9f56f3b8bc1

    • SSDEEP

      768:f9otvM7DZ1LMDJdj+LVvgFlJus4zBYdXK3QDV:f9UEDLMDJxKM0scCXKA

    Score
    1/10
    • Target

      wind/zlib1.dll

    • Size

      87KB

    • MD5

      46b86e47c082b3ca753e264538c6b9ba

    • SHA1

      aafa06e387ab9eddc120de3fc0127332cdb8fe1d

    • SHA256

      cf0bf2746b40710452df596fabd497df250f7693db652c13971aee7c69226c18

    • SHA512

      31a396fe4349c81067f1936b92e68b058dea5fee2faf972c3bb39d7e2c6ce48292eac5bbc5b43545e07e8aac03f299fb504bfe651b3e432b64e302c651f3d81b

    • SSDEEP

      1536:47wjHHWwn1rhEzjEp70E2thqlzY2qIOcIOZIelMbHi:4cjH2w1EjEpIqa24SZICMri

    Score
    1/10
    • Target

      wind/zstd.dll

    • Size

      639KB

    • MD5

      91032907f8dc67be99885b0b1169837a

    • SHA1

      63b6cd2442d68907ae64bdf72095ad08f0b4d00e

    • SHA256

      ab04353fdcf07994a048ad4dbec1579436066f047fdd63d36e4e29f4b1dd6a2b

    • SHA512

      83ab14249829f9d98d41363a7a6b5b7be8dfda5f51a017145da7930e42cc9de2ce79a524960d115dc533343b62bfdefdce817d95d0c779687e5ee15f2347856f

    • SSDEEP

      12288:AlNqGONdPaszBp/I3MV4IIdsdVWoRpEn/x:AfazBpw3MV4RdsdVWoRpE

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks