Overview

overview

9

Static

static

1

6b4567dbdc...0N.exe

windows7-x64

9

6b4567dbdc...0N.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6b4567dbdc0de8a3c940f1442e683a20N

  • Size

    4.1MB

  • Sample

    240908-hcypna1hlp

  • MD5

    6b4567dbdc0de8a3c940f1442e683a20

  • SHA1

    25fd782d43989dc7959e1d0cceb2436b5aa36a0e

  • SHA256

    49410df210daa8176d6783e40e2fb3cf53a923e5b3fa9216ce7af8a3e1754b7c

  • SHA512

    03f65cfc4eb0aea5406c43e3c79f0afc10f45268bb03a18038acfec4baaebb28eff8bc22cc6b0e158e92e9f328042d5b134a6c489dcea5dbc12b67720dc5b7b8

  • SSDEEP

    98304:NLTabwiP+bJMrPh7+c4dnT2ms0TPb9Ae/sW1kLGrMsyzB:ZTabwA+b2rPR+cynTbzb9BsW1YGoLB

Score
9/10
bootkitcredential_accessdiscoverypersistencespywarestealer

Malware Config

Targets

    • Target

      6b4567dbdc0de8a3c940f1442e683a20N

    • Size

      4.1MB

    • MD5

      6b4567dbdc0de8a3c940f1442e683a20

    • SHA1

      25fd782d43989dc7959e1d0cceb2436b5aa36a0e

    • SHA256

      49410df210daa8176d6783e40e2fb3cf53a923e5b3fa9216ce7af8a3e1754b7c

    • SHA512

      03f65cfc4eb0aea5406c43e3c79f0afc10f45268bb03a18038acfec4baaebb28eff8bc22cc6b0e158e92e9f328042d5b134a6c489dcea5dbc12b67720dc5b7b8

    • SSDEEP

      98304:NLTabwiP+bJMrPh7+c4dnT2ms0TPb9Ae/sW1kLGrMsyzB:ZTabwA+b2rPR+cynTbzb9BsW1YGoLB

    Score
    9/10
    bootkitcredential_accessdiscoverypersistencespywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks