84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c | Triage

Sharing

General

Target

84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.unknown
Size

683KB
Sample

240924-kxtmjssapf
MD5

89af3d1c013508a4c303b662082b37b5
SHA1

27c09a549b4aa399d03440fc543fc72cea662231
SHA256

84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c
SHA512

716a5bf5a788d976138dac3c7b7eb968fb4c20ec06bf45e2d0dfc99aa4f1594eb067285c2c0597999876067951627722634cc9fc243a3736e535a13c385569f6
SSDEEP

1536:4vvvvvvvvvvvvvvvvvvvvvvvL88888888888888888888888888888888888888R:fvE

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Targets

- Target
  
  84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.unknown
- Size
  
  683KB
- MD5
  
  89af3d1c013508a4c303b662082b37b5
- SHA1
  
  27c09a549b4aa399d03440fc543fc72cea662231
- SHA256
  
  84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c
- SHA512
  
  716a5bf5a788d976138dac3c7b7eb968fb4c20ec06bf45e2d0dfc99aa4f1594eb067285c2c0597999876067951627722634cc9fc243a3736e535a13c385569f6
- SSDEEP
  
  1536:4vvvvvvvvvvvvvvvvvvvvvvvL88888888888888888888888888888888888888R:fvE
Score

10^/10

execution defense_evasion persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasionexecutionpersistence