Overview

overview

8

Static

static

7

100161df08...f1.exe

windows7-x64

8

100161df08...f1.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    70b59e224a9f85eb673cbed862d4b56e.zip

  • Size

    331KB

  • Sample

    240903-h1mx3a1anr

  • MD5

    9824e9a84084d90f70e48e3cb92c3fa7

  • SHA1

    51e415dd25e0475689d3f2ecfa0b2d5ba4316cda

  • SHA256

    f92113306c09b4be2e5366bda53e3d1be417aaa40768abd3de82776791fcb197

  • SHA512

    22b0823f1f323ecc4b226acba75e26c043c907c2c9d8f41e952938c277b338880a8c2bd5cb3d6b99d9c73986c372c8a02f6aee81bdb8d0d181157a9e14457fcb

  • SSDEEP

    6144:dSopBrYBgxUBfdGjHlKVXS6LW2em1w+PscN7IF0YwvUMmlwugfM36uClbaCp4INO:wuBrYBgaur2S6VeMw+PgPw8HlwZq4O

Score
8/10
discoveryevasionpersistenceprivilege_escalationspywarestealertrojanupx

Malware Config

Targets

    • Target

      100161df0841b00329913fa35a055ce77e448ad16eca5f3dc49a47c4c346bcf1

    • Size

      334KB

    • MD5

      70b59e224a9f85eb673cbed862d4b56e

    • SHA1

      afee4d3a726a27616b719b3d23d1238080b08614

    • SHA256

      100161df0841b00329913fa35a055ce77e448ad16eca5f3dc49a47c4c346bcf1

    • SHA512

      0ded8ba770d4589010003f4cef7d12c74dbc359810974be8898850488a7c0d44fdd97f8ce0770c4ad45879b96339454490a6d29497fd868aacf6da396c21d3a7

    • SSDEEP

      6144:SqSp5zrtkD9mJn9ZBWeK6JKJqxE+18Vo4a9EfZUohIloVm4/eTQ1z:SqYg9mzBM/CR9EfZ5hH1Mk

    Score
    8/10
    discoverypersistencespywarestealerupxevasionprivilege_escalationtrojan

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks