General

  • Target

    Protected.exe

  • Size

    4.0MB

  • Sample

    240923-wv78pswdql

  • MD5

    776eed86bb7308e19b019099245bc58c

  • SHA1

    bb18259395d43b9b07fe63726805157b7dfda286

  • SHA256

    c94750f87bb70c03a496307e6a67aedc4d7c12a827c01dd10166a3d0ba4d8fc7

  • SHA512

    fede548d59c02351f771b17803878a724e16a9a6c93be80b9c072cb44c71562d69ff3c2a7ecc2f699be94f9ced69abdee9d8c42c75affb2aa4448e688bf12038

  • SSDEEP

    98304:dUM3Ff8wfGvV31YY7KHC009WlCkoJWK3GpaElH:dUM3FTfsV3Z7AjEWYkoYKWph

Malware Config

Targets

    • Target

      Protected.exe

    • Size

      4.0MB

    • MD5

      776eed86bb7308e19b019099245bc58c

    • SHA1

      bb18259395d43b9b07fe63726805157b7dfda286

    • SHA256

      c94750f87bb70c03a496307e6a67aedc4d7c12a827c01dd10166a3d0ba4d8fc7

    • SHA512

      fede548d59c02351f771b17803878a724e16a9a6c93be80b9c072cb44c71562d69ff3c2a7ecc2f699be94f9ced69abdee9d8c42c75affb2aa4448e688bf12038

    • SSDEEP

      98304:dUM3Ff8wfGvV31YY7KHC009WlCkoJWK3GpaElH:dUM3FTfsV3Z7AjEWYkoYKWph

    • Downloads MZ/PE file

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks