Overview

overview

8

Static

static

5

app.exe

windows7-x64

8

app.exe

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

  • Target

    app.exe

  • Size

    1.2MB

  • Sample

    241009-j51kdssakb

  • MD5

    58ba20a38c3042d6a13dfec3c561cfbd

  • SHA1

    ea3a47e6a46b990f6046bd77b96e9d42bdd3a55f

  • SHA256

    ae1ff3a27a9e826de5b69d0a8c54bb8751daed10bdd8ac4dd04f2539877b0db1

  • SHA512

    833315c7ad0159193f49d46a7b490458725bb230d4b048ea24cc60562f1cfa26f6262c42882d0970dc0c4bd3eec8198730fc7541b6dd48dbb4132341259328ed

  • SSDEEP

    24576:Lrr/9x2rDc30x5tUewSFYndCfeI+GajylnGhj9EirEuaXmSmmzpIT1:LH+zxbUJndWeMln8FrmXmSmaIT1

Score
8/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationupx

Malware Config

Targets

    • Target

      app.exe

    • Size

      1.2MB

    • MD5

      58ba20a38c3042d6a13dfec3c561cfbd

    • SHA1

      ea3a47e6a46b990f6046bd77b96e9d42bdd3a55f

    • SHA256

      ae1ff3a27a9e826de5b69d0a8c54bb8751daed10bdd8ac4dd04f2539877b0db1

    • SHA512

      833315c7ad0159193f49d46a7b490458725bb230d4b048ea24cc60562f1cfa26f6262c42882d0970dc0c4bd3eec8198730fc7541b6dd48dbb4132341259328ed

    • SSDEEP

      24576:Lrr/9x2rDc30x5tUewSFYndCfeI+GajylnGhj9EirEuaXmSmmzpIT1:LH+zxbUJndWeMln8FrmXmSmaIT1

    Score
    8/10
    defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationupx

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Network Share Discovery

1
T1135

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks