General

  • Target

    __install__v.3.9.8_x64__.zip

  • Size

    49.3MB

  • Sample

    241016-yz3vwstglj

  • MD5

    27ad2a011216f797029109dab7e0e595

  • SHA1

    a77ec481f5f1c1f80285b2345aed30d5552c76c2

  • SHA256

    3066a182534705179d8b2613d54d3ff3c06b62141f7f22f2ce6a0c229169e0f8

  • SHA512

    4a69e1351a2ba5e6362e9fdf8fe0948869054e052c676582ee965c292f7fea93499837412785d3cbb64e985b516a229a2879a350764c49ee39876dd4b3b0961f

  • SSDEEP

    1572864:Wh9p+AkxOx6mkMspNbawUPlE6cJMVLYf7EhHfB7dHB2:Whx+M6mk5pshPlE6cyVLYQ5fBC

Malware Config

Targets

    • Target

      Dism/AppxProvider.dll

    • Size

      574KB

    • MD5

      eb9cbac1aa278b6a8afdb95a9feb4dcc

    • SHA1

      9f12442d4cab56ab451d3954783632f77be7f8e4

    • SHA256

      1bf704107250f4c08fdf2c450d4ab402ba5317a8c026cddf98c0ce225f487d4c

    • SHA512

      ea86c2360622401aa61c8932571df2dbf6c5fcc438d5b1048d61cfe9542cba0b74c1454dced6a13a7cd20fbbe5cbaa0b1432b8e4a6feb6702fd0b7cc37b436f4

    • SSDEEP

      6144:BGcJAp/KyBBQpdjUXE/wK6qGNJlCbVZ5jr0KdKkF5ofnJLZSzlo/Sf/c:BRJhImt9/0KdKkF5+szkz

    Score
    4/10
    • Target

      Dism/AssocProvider.dll

    • Size

      113KB

    • MD5

      b7db592706d3eefbcf0d5a166d462e56

    • SHA1

      935123fda68594f0c52a765c4bbf468e4458189f

    • SHA256

      de21321272862e7c332e1724dc315f06f3abe7a0340e61d351cab208d6bbf059

    • SHA512

      91a1529db5816695c4424eaf71923ec63430b872cb1e179b6fa63c84acf0ac94baf71f39217f6c28818cd74fcad954a29f1e2efe655c5a0353f7aafdf8740f0c

    • SSDEEP

      1536:Q9TBLzWvVZtglIDIQdgDbEyuh9kHsyj2HUkPi7Hl1KbPWYzzS:Q1uL6IdgDWjkH5E3eKbuYz2

    Score
    1/10
    • Target

      Dism/FolderProvider.dll

    • Size

      60KB

    • MD5

      589d4527d1b070fdb635db7981ae5fc5

    • SHA1

      85133ca84bf43e7b3aa0054af66991c30ce68d3e

    • SHA256

      011c5753d336a1898913f9ca2a5458eba88a93cb8c719a3cb222cad58ced15a0

    • SHA512

      b065851dc3838c9f251bee7081b4c38d96bb3f62bf422b59fed2ff011c762540f8574d64c9c7277028f2588b5b713823df56f9803c65e109223895fba9ed5f8d

    • SSDEEP

      1536:hexLd+GGpAR1uFs4mrYNjTURz6dZiFq1VSbFP0zm:hkUG+EIFRb9TURz8iFkVSbFMS

    Score
    1/10
    • Target

      Dism/IBSProvider.dll

    • Size

      60KB

    • MD5

      b5b8c30b6eadc678f37d865061684219

    • SHA1

      c78dc8160d7f0d794d6a156d9194f16314a0a361

    • SHA256

      f1bcba5928da73db1a78355afd4cedb8d66e09d28fcfa6ae75112c5e10b0d841

    • SHA512

      de2b7c5a03298a467152a8adc308c4355ca420438b96035083d524b2058daec9d2434eb62d329f747eb9768af8324a306d1e257005df7ddc2ff093a73068e06f

    • SSDEEP

      768:/MNsBtL+LsOHEeZMG8c4cWamUMvyARy0VnrK3Lemvfq/n7Ch1PiKai9zoYf:emsLsOkeacfmDjZr0SmKmXPG+zf

    Score
    1/10
    • Target

      Dism/LogProvider.dll

    • Size

      78KB

    • MD5

      1176e91f4f663b03515b4d944dcdd72b

    • SHA1

      fa341a412720fd79fe1e1f6e11d850a4e103871d

    • SHA256

      a4ae8aac8660aaa255cc8318c7971273201e62954d6d36ac5d7ec738fb218258

    • SHA512

      c31f3bbff71ebc3f29813cf55754593262884fc71327db58622da62daa92062b1e8e2f6877a71ca832f40e7127c478d931661527485e801b74dcfdfaf6670874

    • SSDEEP

      1536:o9mLBNlc4Rd1wbNA7elgn0+P+GEa80HGMX0Igx7DAJoN6PC9z:oMLlBRd1kSel4+k80HGMX0Igx7DAJoNd

    Score
    1/10
    • Target

      Dism/MsiProvider.dll

    • Size

      208KB

    • MD5

      0655a77306506895e5d3b5e7dbc833e0

    • SHA1

      51087449d02fb42c948a1f53735bed1ccedd1ad8

    • SHA256

      bfac469b3bfe0dc5419059d889eabb2ab1bdf1a6298a6de743cf0f189a48c679

    • SHA512

      dab8ce18208670e720927f3d6bc317cb81b72c6ca95a92e637d9e19bec4666b3607747bbb3f0ef7285a41c49a26c2a52fb225224ece22aff391f89df2f9df61d

    • SSDEEP

      3072:eAHjL5MM39qnOOL1QZaFsrMQ72dmTcWI+fByuc+RAuEvbB0MFuWdOEQlUoMI1+9:eAHfyMkraaSrGwnjfBI7bgWdU

    Score
    1/10
    • Target

      Dism/OfflineSetupProvider.dll

    • Size

      183KB

    • MD5

      db1c840507ea36d04d8f8f503804daad

    • SHA1

      990152a67191059ac486074f0a50b97b840bd8e3

    • SHA256

      23fac2578e222a023c7b67186d67070518c17f08a6c39644fbef76293751efc4

    • SHA512

      90da4d328c27f1379f7f9e65019aa242e1899b1a2a5f9626f08aeea020b8f46583878891b8a73b4c555e381f1e8f8c5be5c54dce2d7a2498c2e3a40c8abcb5a3

    • SSDEEP

      3072:Ko8F4zlDtDlWY32LCG3F4l96gsFYryk/5FS7moOFmh36ZtPW80iO:Ko8OzljW3CoSl9eOmkFsDJyPk

    Score
    1/10
    • Target

      Engines/spsreng.dll

    • Size

      1.0MB

    • MD5

      fc3f513dbfa7ae54ef4e3498d9e9784b

    • SHA1

      3f29b2c3e1e34d3062b17525669cd3b6f82961a2

    • SHA256

      67df7281ce98f247f25427232785a8d651472e21488bf2cb4ab57cbaab7be016

    • SHA512

      d9594815b4a71ba70e16aa26317d7c8d93171ef958f824fa99ab9f8ee15885940d44d47334a6cf4668bdd27c10b3044db131d841acad631869e9d3853775f2cc

    • SSDEEP

      24576:fAGx/PfINLsVkWOur35TgkvUnHNyop+1BwBBH:fBPgBHur356z

    Score
    1/10
    • Target

      Engines/spsrx.dll

    • Size

      103KB

    • MD5

      f3a75622e931e20dffd1daa951d71f39

    • SHA1

      b94bb09eb306b88972397b8af555623f0655f086

    • SHA256

      7b8f98be4bd2145e4e1e4c71c6d2a1b789c6810f0582209502f4666a035b41c1

    • SHA512

      6222714a9f2f37cb58577ede6d8246c528488d878830313d3d84372f1dce8c5b79cef99c4ac5cf229f2366663f1bb1dc7b8855dcd234426cfa202e32a08e8330

    • SSDEEP

      3072:HGvgUUbeZWCkPhh7rnrwwFQIgplqiOPRcuwtB9N6f:mvgD7rnVQIgpl16otB9

    Score
    1/10
    • Target

      Engines/srloc.dll

    • Size

      475KB

    • MD5

      29bb9b5d6efa4a639759e59641aa5821

    • SHA1

      dc6e55ddb6f5c5061f48238e4aec290e26ec7804

    • SHA256

      f373673d34cc74f76f8c951b664589845b9dd82c939f6973c67e8fff7d6f9840

    • SHA512

      5e9d38856fa39f7f9221bca2c9fdb72e62590d9544e9446cd76ad983fd4454885e52daccfe8e1a71f1cbeaac1ba23e981b051fb89819532698af0aa20e15d65e

    • SSDEEP

      12288:eQnZiz8HurXkIvbEoQwHG7jeCYtpEo7Tf:eQn/urXzzEtNopH7T

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      __app__v.3.9.8__x64_.msi

    • Size

      51.4MB

    • MD5

      25cf10e4cb809a53a6762d97bda6b3ee

    • SHA1

      e200a4543b55e824485c66bb08b3b0a9acca7a98

    • SHA256

      f49d3f3a5634cc854a78f5cc7183bd5e291bb16de20a55216b6f1b78461f7f9b

    • SHA512

      cbd5ba433210a82a94cdd887810b9cb3817d010cdffd19434ded1cb06b1a948eae155e8cc2f6fc00a81dde76b26bb85c2c0ec9531a1a9d2d806adb156c31c23a

    • SSDEEP

      1572864:Tp+Ty2SfWnHDk8FjVbfzPTq4l+R8hliQ59dG2I7P2n:W/0WnHDkkjBPTq4BhMQ5LlI

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      setup/FXSOCM.dll

    • Size

      37KB

    • MD5

      c0e3831d4f9a8342ed72c0e9237c1ffa

    • SHA1

      19f993714ae9077735551f3ea52e2ebe4b61fd94

    • SHA256

      0b4c139182ba9bf4cb7db9594f1db9c5bebf8fe3eff5acca338db9696da2eea3

    • SHA512

      c3f7729ee1ff8cfe86b44be74b95576136f5f4e2c84ec53b322a671d4b8bfc95e08865848649a4595bda9d0830cbc93f57422cd6cf45d645877ad6b5841a944d

    • SSDEEP

      768:QitJ48txXkygRE+jXR3H/qIK3MsJYjexGnNYXtPTA:BJ4YkE+NqIKc8K8GNY5TA

    Score
    1/10
    • Target

      setup/cmmigr.dll

    • Size

      69KB

    • MD5

      a8f16d638f620d8254143ee901a2801f

    • SHA1

      7a4cbeac8f01cd9d78e24e6531d192c9be90dae1

    • SHA256

      b87f0a07154926b1eda3a388d2e02783dde9a9ff1ea3bc27ab35443f0c07aafd

    • SHA512

      064b140f47783422ba7f33a12cb2770a14dc5e2d24e8e31768de2331de032cfb9c3db7733711dde64f99593c6e81767b1042372c28fa0ecc7e57d272d99b5c58

    • SSDEEP

      1536:HkAX1j1yconIhX9m8Y6T6NzFYLHxQhsLfZv0r9hNbpFdC+cY0C:HLX2JmXdT6NziF1bCNbDUHYr

    Score
    1/10
    • Target

      setup/comsetup.dll

    • Size

      249KB

    • MD5

      5b77a2ca50ff4bd7a8f3b830b0b8962c

    • SHA1

      c6e4df1a16ff70d951f3949039909a720b238cb6

    • SHA256

      a37689df6df071bb90f0348df5cd7d4e897a746b975ff11cb434cb3c821391e8

    • SHA512

      a3d3b5dd08005cf80f126f3a31fc136cba528796bb68218f3b7cb95fac500316420d3423fb5d6dbbd376363ee85e95446193b142e9fbe199fc130fbd94ed74a3

    • SSDEEP

      6144:PEYw2vAUePU1IWdJLRw3MMh3b2PzT5PLo6sQEVs:PEYLsU1J9w3OTP

    Score
    1/10
    • Target

      setup/msdtcstp.dll

    • Size

      115KB

    • MD5

      cde36f7995d40769094b1811706952e7

    • SHA1

      84c118c1eb396afb368e83f35155dced503447fb

    • SHA256

      1ed89f7401699319fcbc485a0d499985f5cc20a403a1d5d4de34014ab1c8ce11

    • SHA512

      d7ebf0757f8e799c6eb5ed62e9c484877f1feb07f316740e0a3cd2e2a114e833acc29af8479f82189cae47d88286f9a25623eaae147bdfedd54074318c9a91df

    • SSDEEP

      3072:dCIgK/7sKiAbO7OUZ9YoZCjvb6pwfarSr:EO7s37ZZ9YoZCj4wx

    Score
    1/10
    • Target

      setup/pbkmigr.dll

    • Size

      70KB

    • MD5

      c23b51110883ab62f1f030bf1ddd7963

    • SHA1

      a6d17b756340fc08a07043375be5f522b6b89799

    • SHA256

      f3b147f68b111e668d1395577bca255dbb902830dde33f7708b092534d6efbb9

    • SHA512

      cca4944361608de960fdaeba642cd70a120eb59fd5908d0f659bdf2f710cf1ab3b15b772ca31a27d82818604e27c754ac4b22279735cc0c86b018e16dff1c124

    • SSDEEP

      1536:N1oaQ08IzyG/4YrnVDLH2er+fnOkuSb6XqCkmP+hzB:NiaQqyYTnhqBDuSu6CkmWh9

    Score
    1/10
    • Target

      setup/tssysprep.dll

    • Size

      58KB

    • MD5

      69fdefe41fb1c8ccfc3c2d2586a84c9d

    • SHA1

      4db96dba5d8b1a7485ac4d17266ad0edf732d46d

    • SHA256

      e868261457b53eea8f7fe18cf10bc6374bce923c2b339dc0c0ebd9bd67f78eb3

    • SHA512

      5a3211cd2164c29aa3716c6c36cdfecda38e6e7671984bb40ebf75ded8bb880db37d79fb95c0f70879936129201dde88dcad66ebbd866dd007afe48f53a2cce1

    • SSDEEP

      768:Af9Bv0qFp0SFwu8t0KlXrhflbRV4rUjk7DzWl2LkGfDRu4MDeb4l0evpFNoTRoD:Ab5YRV4Ijk7DzWE7Ru4zb4+4pFNoTR4

    Score
    1/10
    • Target

      wbem/WMIPJOBJ.dll

    • Size

      98KB

    • MD5

      3078620fe465417a7c2f5d44d4a6fc42

    • SHA1

      db2411e36df0be1f52f0b0f34e461c8534c5c1bd

    • SHA256

      3b15c50364b4796f239933f4faccc6a5333a22f2c9cab7685f4537dcb56ec9c8

    • SHA512

      ac5ac183b6bcf2adcfe473ccfae80b1274396c3a7c3ec05503752b539ad31bdec586b2f83939321d16411a1473a6301a72585e2d38cbe52cf38353c76a9bc1ee

    • SSDEEP

      1536:aAhH1VZJYisWKXFgDmFp4XWB4+sfJgEO+5klcYznuLBbDN:aAFbZ28mgW2+sfJjO+5Oqbh

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      wbem/WMIPSESS.dll

    • Size

      60KB

    • MD5

      9be96954745d7c36a5726deb8ad28bde

    • SHA1

      8e44a8b9234d4e73f9d9fa1f414aa24648a9ee7e

    • SHA256

      8300c2da596f5c1a416d02a598e323cdb4e82fc480e125df6fb3aa2c53cacfa2

    • SHA512

      7e5060fb071dc528d463e378635c700e63974f20e477114c756178de0d3def025c13f4383b0b1678634fd6a61b22dbe7a8c5d5726d6c59c71a40555eb92aa0d3

    • SSDEEP

      1536:SXOWHEOQjeCKfEFIb0bnhf91dkSWpXIRqk:C/5QjeZfEyknhf9sS6YR9

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      wbem/WMIsvc.dll

    • Size

      238KB

    • MD5

      8828f0794cd83e81a9ca9b3bd0903bc3

    • SHA1

      a374277de6eeb62bef9ad0f7ae43f3fd7ec299e1

    • SHA256

      fc0fab4941a94299486709a7ff68ae7ce4d60ef597269743f3e8cce0b2c95463

    • SHA512

      43cce7fecc55c7611dd3443ddbff64325e17ca9377dfb1c6abd2457e6d66313f66833868b4c6a28180b4a5e68810da0542958fd5aac6dd64cd8eba45dfe4a31d

    • SSDEEP

      3072:uRH7TyNVxUt43PZwaAz0lbxSyaMWWzdoBrlbXJ+lkBkut9+W8EPusK7wJL7GGGqL:uRH7THm3xAzGxSyUsyBn0ky696f+Wg

    Score
    8/10
    • Server Software Component: Terminal Services DLL

    • Target

      wbem/wmitimep.dll

    • Size

      59KB

    • MD5

      0e2fb8f7aa90d4e9442577321ffbd24f

    • SHA1

      418c27d9ff8e1343bd114b81e0c89b4d6edbcb59

    • SHA256

      33f3065cf0ba07a6e1f9b52c9e705d80e0326fb60290a0cfaaae2347de112805

    • SHA512

      9482dca5365d2c6cbff4bc34931ca57064da374bba2fb237ec797c0b932cb55942f054ee39a6aef9e3d6142b4475c311fef01e2099475290d0e2247905472f07

    • SSDEEP

      1536:mFGSn++7rpSp1Q2Hr3uMgv5HUa1jmZ+tOAtnI:mk+4p1Q2Hr1ghljO7AtnI

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      wbem/wmiutils.dll

    • Size

      135KB

    • MD5

      103768e150d89d6a759d9c85c5efcec1

    • SHA1

      617a83d206b6944ac10be2250a942959a9e5e9c2

    • SHA256

      5184cc67151f598b0ca7676e8aa582575816d31ac8faba9ec328c6738ac51fe5

    • SHA512

      0c4990dc70df437985a4bed5c28654f04d05843bf4f728024c9a76251e9d7baf368537c973b8e3249ed825ed92e6c99580ca38da09400046ed87df8de7ec2c2b

    • SSDEEP

      3072:vlFkYHH/lv01dEdQiNh+e13At2hIJl1bko3OTc:7fH/4dEdQGs2Y1Yo3OT

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks