Resubmissions
24-09-2024 00:23
240924-apjghavfmd 10General
-
Target
revo_uninstaller_pro-4.4.2-installer_zfeiM-1.exe
-
Size
1.7MB
-
Sample
240924-apjghavfmd
-
MD5
d886964de975ed55d7dc2598377a1018
-
SHA1
c556895d580a8a6bb4cdaff412524e062085cbbe
-
SHA256
4b7fa1916e4575b5e7a5f86cf5ca71968e4a18f53a5c7730279eafb8cdc4ce9d
-
SHA512
6468cf32304092c36caa9e1f4801fad3e46c1fe7882d01dbd4c271bfa22eab4ca35775df54579c0eafd18a82341a0808f624e0b957603117a7205f60943a7e9f
-
SSDEEP
24576:M7FUDowAyrTVE3U5F/XVc4pfVqhAlwIIgHbEWZCVvKkGPoK1PjMIgGmejOb+ofZp:MBuZrEURVxBgV6P3PjMI/mAUz
Malware Config
Targets
-
-
Target
revo_uninstaller_pro-4.4.2-installer_zfeiM-1.exe
-
Size
1.7MB
-
MD5
d886964de975ed55d7dc2598377a1018
-
SHA1
c556895d580a8a6bb4cdaff412524e062085cbbe
-
SHA256
4b7fa1916e4575b5e7a5f86cf5ca71968e4a18f53a5c7730279eafb8cdc4ce9d
-
SHA512
6468cf32304092c36caa9e1f4801fad3e46c1fe7882d01dbd4c271bfa22eab4ca35775df54579c0eafd18a82341a0808f624e0b957603117a7205f60943a7e9f
-
SSDEEP
24576:M7FUDowAyrTVE3U5F/XVc4pfVqhAlwIIgHbEWZCVvKkGPoK1PjMIgGmejOb+ofZp:MBuZrEURVxBgV6P3PjMI/mAUz
Score10/10-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies powershell logging option
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1