4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23 | Triage

Resubmissions

10-09-2024 18:03

240910-wnbk6axblq 10

10-09-2024 17:52

240910-wf31faxgqb 10

Sharing

General

Target

RNSM00486.7z
Size

117.8MB
Sample

240910-wf31faxgqb
MD5

9cad20cac5e7a2828d978175bb888a8d
SHA1

d7253644d5b0c999adef488892b0b34115576d53
SHA256

4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23
SHA512

271023ad2f017c2a89e81ebe67725ad3ef5e4114bd0249505fa1fff6ca102a314b93ef3ac7463f816b187b1cc11f521465138dbfcff8a08d32e1ce3ac0855b87
SSDEEP

3145728:4AORmmLuCgOX0cXsvmpqt8t2ed+Uv81oz+tHTQY:lmym0HvmZdZZszQY

Score

10^/10

discovery persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/880265796767608892/881902176195186728/New_Text_Document.txt

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com.tr
Port:
587
Username:
[email protected]
Password:
010203040506

Targets

- Target
  
  RNSM00486.7z
- Size
  
  117.8MB
- MD5
  
  9cad20cac5e7a2828d978175bb888a8d
- SHA1
  
  d7253644d5b0c999adef488892b0b34115576d53
- SHA256
  
  4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23
- SHA512
  
  271023ad2f017c2a89e81ebe67725ad3ef5e4114bd0249505fa1fff6ca102a314b93ef3ac7463f816b187b1cc11f521465138dbfcff8a08d32e1ce3ac0855b87
- SSDEEP
  
  3145728:4AORmmLuCgOX0cXsvmpqt8t2ed+Uv81oz+tHTQY:lmym0HvmZdZZszQY
Score

10^/10

discovery persistence upx
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceupx