Overview

overview

10

Static

static

3

git.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    git.exe

  • Size

    33.3MB

  • Sample

    240903-cfzhgatfrj

  • MD5

    512579f27a89019435c2ed2ca544e001

  • SHA1

    2b00a51e4393e1f93308ff2fa0dd63963568f2cd

  • SHA256

    6fb0fb6b6d38523250308c159d293326c71d1ae38f4707af69e8352993d09877

  • SHA512

    b5077641a251829ce31db7ca7072c62f1a9bd9202703cbd62cb2404abbfe9b09d987b26aff45a481e473f6e2c9b885c18eb83487835ed42f5781ea273aff4c58

  • SSDEEP

    786432:c2QGFngPQEErU+2j6+s7LWB75zuOOoh1eqtq2Jx6:HQkn89E/2qHWB75i2D5tq2Jx6

Score
10/10
defense_evasiondiscoveryevasionpersistencepyinstallertrojan

Malware Config

Targets

    • Target

      git.exe

    • Size

      33.3MB

    • MD5

      512579f27a89019435c2ed2ca544e001

    • SHA1

      2b00a51e4393e1f93308ff2fa0dd63963568f2cd

    • SHA256

      6fb0fb6b6d38523250308c159d293326c71d1ae38f4707af69e8352993d09877

    • SHA512

      b5077641a251829ce31db7ca7072c62f1a9bd9202703cbd62cb2404abbfe9b09d987b26aff45a481e473f6e2c9b885c18eb83487835ed42f5781ea273aff4c58

    • SSDEEP

      786432:c2QGFngPQEErU+2j6+s7LWB75zuOOoh1eqtq2Jx6:HQkn89E/2qHWB75i2D5tq2Jx6

    Score
    10/10
    defense_evasiondiscoveryevasionpersistencetrojan

    • UAC bypass

      evasiontrojan

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

4
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks