General
-
Target
RemoveMostErrorMethod (1).exe
-
Size
172KB
-
Sample
241011-xaqctssbjj
-
MD5
5bc28b87b4262d548fd5603a9d869216
-
SHA1
098b95a52dba457ce41226e8a46b95f641aa12d8
-
SHA256
324c87337e9e7fb307003948424d41525ee0c1970278cd73a27a03946ba74fc4
-
SHA512
fbc891fa6da23b99a9204c9da15341a48fb2e2e0b785b0f8bb0609211463b29ceffec76adcede378e7d91ed12936b76b18dbbb318d3e72ce9cb9e16c7c164b8c
-
SSDEEP
3072:GMobR7ezAjLOZvmX1X5GWp1icKAArDZz4N9GhbkrNEk1PzG:beR7eamm3p0yN90QEk
Malware Config
Targets
-
-
Target
RemoveMostErrorMethod (1).exe
-
Size
172KB
-
MD5
5bc28b87b4262d548fd5603a9d869216
-
SHA1
098b95a52dba457ce41226e8a46b95f641aa12d8
-
SHA256
324c87337e9e7fb307003948424d41525ee0c1970278cd73a27a03946ba74fc4
-
SHA512
fbc891fa6da23b99a9204c9da15341a48fb2e2e0b785b0f8bb0609211463b29ceffec76adcede378e7d91ed12936b76b18dbbb318d3e72ce9cb9e16c7c164b8c
-
SSDEEP
3072:GMobR7ezAjLOZvmX1X5GWp1icKAArDZz4N9GhbkrNEk1PzG:beR7eamm3p0yN90QEk
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Modifies WinLogon for persistence
-
Wipelock
Wipelock is an Android trojan with multiple capabilities, such as wiping data, reading and sending SMS messages without the victim's knowledge.
-
Wipelock Android payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Event Triggered Execution: Image File Execution Options Injection
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Declares broadcast receivers with permission to handle system events
-
Declares services with permission to bind to the system
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
Network Share Discovery
Attempt to gather information on host network.
-
Requests dangerous framework permissions
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
5Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Browser Extensions
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3AppInit DLLs
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
5Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
3AppInit DLLs
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
11Subvert Trust Controls
1SIP and Trust Provider Hijacking
1