Resubmissions
01/11/2024, 18:21
241101-wzj2nssjhv 330/10/2024, 08:46
241030-kpp96aymay 620/10/2024, 10:28
241020-mh5glsvgkn 1019/10/2024, 11:06
241019-m7emgsvcnn 819/10/2024, 09:10
241019-k45cmaxhpd 319/10/2024, 03:10
241019-dn7z9atdqd 818/10/2024, 16:09
241018-tmaalaxhnq 313/10/2024, 18:31
241013-w6bc4s1ele 828/09/2024, 15:24
240928-stfwaasfjq 6General
-
Target
Ayca_22.exe
-
Size
451KB
-
Sample
240921-px5r2aserd
-
MD5
1162870766a7524abc673d6d6f6fe0a9
-
SHA1
75509e298457313aec200d93ab60f73ca1d00fde
-
SHA256
800b2af9b28c76d83a0bad6a9d032c9167d9262ab45c3e8ebc6c53530183069d
-
SHA512
d8f2b90bc3ddff12b9d60143518287fcf280ebb17299b50b382a82bbfbaa982ee63faf70d01bb44e5727507c6d5d732f686ce7bc7f014a1b357d8cb9db52e19e
-
SSDEEP
6144:Traq37wODH1cNaej2JMBO+1ObTq45kCNYczkF77TlTFBYdHJz6:B7wsAKJMBAFNVkF77RTz
Malware Config
Targets
-
-
Target
Ayca_22.exe
-
Size
451KB
-
MD5
1162870766a7524abc673d6d6f6fe0a9
-
SHA1
75509e298457313aec200d93ab60f73ca1d00fde
-
SHA256
800b2af9b28c76d83a0bad6a9d032c9167d9262ab45c3e8ebc6c53530183069d
-
SHA512
d8f2b90bc3ddff12b9d60143518287fcf280ebb17299b50b382a82bbfbaa982ee63faf70d01bb44e5727507c6d5d732f686ce7bc7f014a1b357d8cb9db52e19e
-
SSDEEP
6144:Traq37wODH1cNaej2JMBO+1ObTq45kCNYczkF77TlTFBYdHJz6:B7wsAKJMBAFNVkF77RTz
Score10/10-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Windows security bypass
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Modifies boot configuration data using bcdedit
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Event Triggered Execution: Image File Execution Options Injection
-
Looks for Xen service registry key.
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Windows security modification
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Boot or Logon Autostart Execution: Authentication Package
Suspicious Windows Authentication Registry Modification.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Active Setup
1Authentication Package
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
5AppInit DLLs
1Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
7Active Setup
1Authentication Package
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
5AppInit DLLs
1Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
1Clear Persistence
1Modify Registry
14Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Peripheral Device Discovery
3Query Registry
9Software Discovery
1Security Software Discovery
1System Information Discovery
10System Location Discovery
1System Language Discovery
1Virtualization/Sandbox Evasion
1