General
-
Target
LDPlayer9_es_com.fontskeyboard.fonts_3210_ld.exe
-
Size
3.4MB
-
Sample
240825-tdxdrstfpj
-
MD5
9f9bbd12ae5894046810e6736ec4d892
-
SHA1
9e81b764a40ec39f6667c54b8d40da0b97cb5a7f
-
SHA256
8d48d0a05d581922a4d30ba98cbf51ea981a37c95fad689e0b84b979e312f6a4
-
SHA512
57d5b59de422394856e15b2d65c1f2a9e85a1b012c954ecad98682a84c7f90ff00be91819c8ae9cd123270e2cf446d69bfb248bde471a29846d57bf401417eaa
-
SSDEEP
49152:p2XX9nMhH9mpVLZ0CSf1pHtOUYqP3CFOrtG/JR9sXafgkDFMVR9C1UhPJXMK701K:p2XX96HMpVLZo1t0xOoGBiCV2Hmd
Malware Config
Targets
-
-
Target
LDPlayer9_es_com.fontskeyboard.fonts_3210_ld.exe
-
Size
3.4MB
-
MD5
9f9bbd12ae5894046810e6736ec4d892
-
SHA1
9e81b764a40ec39f6667c54b8d40da0b97cb5a7f
-
SHA256
8d48d0a05d581922a4d30ba98cbf51ea981a37c95fad689e0b84b979e312f6a4
-
SHA512
57d5b59de422394856e15b2d65c1f2a9e85a1b012c954ecad98682a84c7f90ff00be91819c8ae9cd123270e2cf446d69bfb248bde471a29846d57bf401417eaa
-
SSDEEP
49152:p2XX9nMhH9mpVLZ0CSf1pHtOUYqP3CFOrtG/JR9sXafgkDFMVR9C1UhPJXMK701K:p2XX96HMpVLZo1t0xOoGBiCV2Hmd
Score10/10-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1