General
-
Target
putty-0.80-installer_iG0Cy-1.exe
-
Size
1.2MB
-
Sample
241017-fekvgasfpe
-
MD5
6b03ffbea9187292206f9f5d4e31a9fa
-
SHA1
ecb9d15fae6dc1564c79e0e81998cdf08c48958a
-
SHA256
261f44a3a5fa335e6fd2d33d2083357ac7c39d5d43a870e50e21c2fa69a1c818
-
SHA512
12028a831a563aa6842f36691a2a053ecd80df32c11deb513e00760a8197c28f90de8f4ed02cba93d3996e783f15c009f152e115a0f65f5bd41d436cf1ec728f
-
SSDEEP
24576:4nILoA6dq2O7WZvabTAB9FrIVTefXG2VQVOBPneO:2Co1dfiMCbTAB9WTIhVDV
Static task
static1
Behavioral task
behavioral1
Sample
Device/HarddiskVolume3/Users/Hassansheaib/Downloads/putty-0.80-installer_iG0Cy-1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Device/HarddiskVolume3/Users/Hassansheaib/Downloads/putty-0.80-installer_iG0Cy-1.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Device/HarddiskVolume3/Users/Hassansheaib/Downloads/putty-0.80-installer_iG0Cy-1.exe
-
Size
1.7MB
-
MD5
c7a7965b8fd1b9f7a1c6f183ccd5fa57
-
SHA1
f85bd1d3dd5dc2121096807b9f4a105be6c5662c
-
SHA256
e2745928773e083ca422a6ef0a0518882dbb952012ce7b57671312fbe9321b96
-
SHA512
0677523dd2a6984bbbd427cd80cf43e19b36da95134ef469519dfcec0f7b6c4cae8fefa50545ec83ae32aaf14f6c6d631662cdf6daceb90d7e70f397bfd862a1
-
SSDEEP
24576:C7FUDowAyrTVE3U5F/Itk6t0fJBBPCpJubZLN7R3iyiPExWHE2PAIGrIe3EV:CBuZrEUa4BBaps3zi4IIrIN
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Sets service image path in registry
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
6Software Discovery
1Security Software Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1