General

  • Target

    3.exe

  • Size

    1.5MB

  • Sample

    241015-ts28kayckj

  • MD5

    eb2687ee1d80d507b550f9c02523db06

  • SHA1

    5b80a6c46dd5cd85001486ea4d09ebf8c674f802

  • SHA256

    b39e4ddf7c57a6c85196e27ddf255811bd3bb3a73363227e455059008468d4b8

  • SHA512

    1b96045d8537e989e94a66fa578a3ff42b36aa3643d34b2f791ed3b0f4e5849faac2856640eab3fdb38746b827a9450f583a3e311781516564ba615a293668d5

  • SSDEEP

    24576:cioa9QayPNalHGq8e27bb0hfgmvYXbNqaDQeXX/X3qwiRfDdzijgnLpv:cippYNQHGq87b7mv4Es/3qwiVDdz/h

Malware Config

Targets

    • Target

      3.exe

    • Size

      1.5MB

    • MD5

      eb2687ee1d80d507b550f9c02523db06

    • SHA1

      5b80a6c46dd5cd85001486ea4d09ebf8c674f802

    • SHA256

      b39e4ddf7c57a6c85196e27ddf255811bd3bb3a73363227e455059008468d4b8

    • SHA512

      1b96045d8537e989e94a66fa578a3ff42b36aa3643d34b2f791ed3b0f4e5849faac2856640eab3fdb38746b827a9450f583a3e311781516564ba615a293668d5

    • SSDEEP

      24576:cioa9QayPNalHGq8e27bb0hfgmvYXbNqaDQeXX/X3qwiRfDdzijgnLpv:cippYNQHGq87b7mv4Es/3qwiVDdz/h

    • Modifies RDP port number used by Windows

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks registry for disk virtualization

      Detecting virtualization disks is order done to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies WinLogon

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

MITRE ATT&CK Enterprise v15

Tasks