Overview

overview

10

Static

static

1

drfone_set...24.exe

windows7-x64

10

Resubmissions

05-10-2024 02:55

241005-detfha1fkp 10

05-10-2024 02:52

241005-dcxedavhnh 10

05-10-2024 02:44

241005-c8mdls1cjk 4

05-10-2024 02:43

241005-c7pgksvfjf 4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    drfone_setup_full3824.exe

  • Size

    2.4MB

  • Sample

    241005-dcxedavhnh

  • MD5

    d083de3cd489927464db90cebf1a6e59

  • SHA1

    ee2b6ec10a5eeebc882302c4976d6edbc427b274

  • SHA256

    580a232eb87da0f8536e3e267318eb3d99ded46fe61631408b091cd497c60b42

  • SHA512

    89a31707b86804adc02bec5a36c277610d88862634325b0c9c2072d95dbe57491a4ef7b16b2c187fcb284831f969877ffd53253951d89c581af1ea1c48743970

  • SSDEEP

    49152:IvSzkJnOyQpABa+VsNbwzPhTzoL6Y0fxfNrBhf0uzkf+:Iqzkbkbhwz2Lb0fxfNrJ

Score
10/10
discoveryevasionexecutionpersistenceprivilege_escalationupxvmprotect

Malware Config

Targets

    • Target

      drfone_setup_full3824.exe

    • Size

      2.4MB

    • MD5

      d083de3cd489927464db90cebf1a6e59

    • SHA1

      ee2b6ec10a5eeebc882302c4976d6edbc427b274

    • SHA256

      580a232eb87da0f8536e3e267318eb3d99ded46fe61631408b091cd497c60b42

    • SHA512

      89a31707b86804adc02bec5a36c277610d88862634325b0c9c2072d95dbe57491a4ef7b16b2c187fcb284831f969877ffd53253951d89c581af1ea1c48743970

    • SSDEEP

      49152:IvSzkJnOyQpABa+VsNbwzPhTzoL6Y0fxfNrBhf0uzkf+:Iqzkbkbhwz2Lb0fxfNrJ

    Score
    10/10
    discoveryevasionexecutionpersistenceprivilege_escalationupxvmprotect

    • Modifies firewall policy service

      evasion

    • Creates new service(s)

      persistenceexecution

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies Windows Firewall

      evasion

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

2
T1562.004

Modify Registry

3
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks