General
-
Target
SampCheat.zip
-
Size
2.0MB
-
Sample
240915-l3teeaxhld
-
MD5
ac515523cb2b3733ef577b41be25f567
-
SHA1
de33fa0b3c4cf54453f15181d636ee019cfb68ed
-
SHA256
b4e0a7e5019643db5b46529c37c22173b1001d59030f1d711492aa3387445085
-
SHA512
ed79899f7c030696816ae969a6eea0aba82da3d6842fc7e156bcba726eabea9a761c8c84a04dc4e72094e710b6235eb980d1aea8a55b86e9f99539c95ae168a4
-
SSDEEP
49152:6L88/y6uin8A/AKoiejQDdAtbRib29m8O4O:evome8DitLzO
Malware Config
Targets
-
-
Target
SampCheat.exe
-
Size
6.6MB
-
MD5
73d7e637cd16f1f807930fa6442436df
-
SHA1
26c13b2c29065485ce1858d85d9dc792c06ed052
-
SHA256
cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6
-
SHA512
f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922
-
SSDEEP
49152:AnsHyjtk2MYC5GDuBJIopGdJ3Rjl4eZK4qgTouABRCXO8DSTYa:Ansmtk2aTeo4dJhjieLq37z8mka
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1