braodo | 3cfb5e4c47015ffff48609e8400770850a61d53e59259cba2a0b1c36a88c9aab | Triage

Submit
Reports

Overview

overview

Static

static

sim.py

windows7-x64

3

sim.py

windows10-2004-x64

8

sim.py

ubuntu-22.04-amd64

3

Resubmissions

03-10-2024 14:37

241003-ry6f3azgnm 10

02-10-2024 18:00

241002-wlawvazanm 10

Sharing

General

Target

sim.py
Size

20KB
Sample

241003-ry6f3azgnm
MD5

0c472b2e6618aca50cb2dff20cd51562
SHA1

df5a0d16ee26aa97087c9d1cd28e08632bcd6000
SHA256

3cfb5e4c47015ffff48609e8400770850a61d53e59259cba2a0b1c36a88c9aab
SHA512

17ac9ba0eb34fb86bdc2cec890f54b0a802b8535c05bfa8479e69a63c352eba51b9df04eb66b03a431921de7bde368d5a7a2edb6217b7b2871f4cdc1a114a1dc
SSDEEP

384:GRExTcSVqPb61rNykWy/k74Fft1froMzZOguu:NxTcSVqPb6N/7oIeu

Score

10^/10

braodo defense_evasion discovery execution linux persistence privilege_escalation stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

sim.py

Resource

win7-20240903-en

windows7-x64

4 signatures

1800 seconds

Behavioral task

behavioral2

Sample

sim.py

Resource

win10v2004-20240802-en

defense_evasion discovery persistence privilege_escalation

windows10-2004-x64

29 signatures

1800 seconds

Behavioral task

behavioral3

Sample

sim.py

Resource

ubuntu2204-amd64-20240611-en

ubuntu-22.04-amd64

1 signatures

1800 seconds

Malware Config

Targets

- Target
  
  sim.py
- Size
  
  20KB
- MD5
  
  0c472b2e6618aca50cb2dff20cd51562
- SHA1
  
  df5a0d16ee26aa97087c9d1cd28e08632bcd6000
- SHA256
  
  3cfb5e4c47015ffff48609e8400770850a61d53e59259cba2a0b1c36a88c9aab
- SHA512
  
  17ac9ba0eb34fb86bdc2cec890f54b0a802b8535c05bfa8479e69a63c352eba51b9df04eb66b03a431921de7bde368d5a7a2edb6217b7b2871f4cdc1a114a1dc
- SSDEEP
  
  384:GRExTcSVqPb61rNykWy/k74Fft1froMzZOguu:NxTcSVqPb6N/7oIeu
Score

8^/10

defense_evasion discovery persistence privilege_escalation execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Python

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasiondiscoverypersistenceprivilege_escalation

behavioral3

© 2018-2024

Terms | Privacy