General
-
Target
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N
-
Size
5.5MB
-
Sample
241003-k4p8psyfje
-
MD5
bb03e8f97d4a17dedc001090c096ff60
-
SHA1
dfe5de118a5f8ef8fd38d8748b1f28a5c14f04df
-
SHA256
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57
-
SHA512
d8fa1be73c86e03530a6b0bde7b95f0f4d62891af96d4fe905856ad6997121574ce5d9ab9c7bbc07b8245899667888028d45576f862e5593b61ac9e4dab37b9b
-
SSDEEP
98304:VTcW6I+2hiVK/Frlc328jTU5F4sb7nZ/BsfBi0XsPmVMqyPcWeY5X8:lcRI+2hGKBY2dF4sb7nRefB/8+mkfY5s
Behavioral task
behavioral1
Sample
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1216442245281087579/WdcHykTG9s553QUy8I1Ile3cHRoWrt03OHQcBjEQwILw3YwXPawFgdx__0VddKqHYPd1
Targets
-
-
Target
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N
-
Size
5.5MB
-
MD5
bb03e8f97d4a17dedc001090c096ff60
-
SHA1
dfe5de118a5f8ef8fd38d8748b1f28a5c14f04df
-
SHA256
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57
-
SHA512
d8fa1be73c86e03530a6b0bde7b95f0f4d62891af96d4fe905856ad6997121574ce5d9ab9c7bbc07b8245899667888028d45576f862e5593b61ac9e4dab37b9b
-
SSDEEP
98304:VTcW6I+2hiVK/Frlc328jTU5F4sb7nZ/BsfBi0XsPmVMqyPcWeY5X8:lcRI+2hGKBY2dF4sb7nRefB/8+mkfY5s
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2