Overview

overview

10

Static

static

10

Setup.exe

windows10-2004-x64

main.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup.exe

  • Size

    17.8MB

  • Sample

    240831-nnr9xa1dkf

  • MD5

    284028bd2b2ea8f2303ce0161c7ea84a

  • SHA1

    343e8d8487bdefebfdadfac66415e5f3148b3111

  • SHA256

    25d239bb2c986663eef3c6b450b8b6487b1aabfa1967ee4944ac0620a76ca5cd

  • SHA512

    57bb09c386ea3e26e6f7f4a623b3bf6fa1f16e5ac8c4efa8a672d6d1d2d54a555eed1d1f922997cf901e3dd43493644ad557f6484d81cbb63a7a88b32223c01c

  • SSDEEP

    393216:vqPnLFXlreQ8DOETgsvfGFdgKt5vEetCXyNnZ+q:CPLFXNeQhEelk1XyNp

Score
10/10
empyreancredential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallerspywarestealertrojanupx

Malware Config

Targets

    • Target

      Setup.exe

    • Size

      17.8MB

    • MD5

      284028bd2b2ea8f2303ce0161c7ea84a

    • SHA1

      343e8d8487bdefebfdadfac66415e5f3148b3111

    • SHA256

      25d239bb2c986663eef3c6b450b8b6487b1aabfa1967ee4944ac0620a76ca5cd

    • SHA512

      57bb09c386ea3e26e6f7f4a623b3bf6fa1f16e5ac8c4efa8a672d6d1d2d54a555eed1d1f922997cf901e3dd43493644ad557f6484d81cbb63a7a88b32223c01c

    • SSDEEP

      393216:vqPnLFXlreQ8DOETgsvfGFdgKt5vEetCXyNnZ+q:CPLFXNeQhEelk1XyNp

    Score
    9/10
    credential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      main.pyc

    • Size

      7KB

    • MD5

      5db9f36860585652c3fc424286a088ef

    • SHA1

      9727de681a58bb7fb1643d853af4536543029ac7

    • SHA256

      df930b0cbc457e3a83d7f8bdbe50a93042ffb4002bae042a8bd606ad8ebaa5ae

    • SHA512

      468a60743264a907a4af81a2cd5e6d27781d94e9357c6ab50ea4bce892d171c1711f5512fc5f24912bc35c065c7d9a6e1b2c22306425e9c7698fd38a5c258c79

    • SSDEEP

      192:wExyE2I7VD8rjchtnWdXwzVR3/oTJhw04Mdw/nw:E3MFhWuz/w1204P/w

    Score
    3/10
    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

3
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

3
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.