General

  • Target

    putty-0.80-installer_iG0Cy-1.exe

  • Size

    1.2MB

  • Sample

    241017-fekvgasfpe

  • MD5

    6b03ffbea9187292206f9f5d4e31a9fa

  • SHA1

    ecb9d15fae6dc1564c79e0e81998cdf08c48958a

  • SHA256

    261f44a3a5fa335e6fd2d33d2083357ac7c39d5d43a870e50e21c2fa69a1c818

  • SHA512

    12028a831a563aa6842f36691a2a053ecd80df32c11deb513e00760a8197c28f90de8f4ed02cba93d3996e783f15c009f152e115a0f65f5bd41d436cf1ec728f

  • SSDEEP

    24576:4nILoA6dq2O7WZvabTAB9FrIVTefXG2VQVOBPneO:2Co1dfiMCbTAB9WTIhVDV

Malware Config

Targets

    • Target

      Device/HarddiskVolume3/Users/Hassansheaib/Downloads/putty-0.80-installer_iG0Cy-1.exe

    • Size

      1.7MB

    • MD5

      c7a7965b8fd1b9f7a1c6f183ccd5fa57

    • SHA1

      f85bd1d3dd5dc2121096807b9f4a105be6c5662c

    • SHA256

      e2745928773e083ca422a6ef0a0518882dbb952012ce7b57671312fbe9321b96

    • SHA512

      0677523dd2a6984bbbd427cd80cf43e19b36da95134ef469519dfcec0f7b6c4cae8fefa50545ec83ae32aaf14f6c6d631662cdf6daceb90d7e70f397bfd862a1

    • SSDEEP

      24576:C7FUDowAyrTVE3U5F/Itk6t0fJBBPCpJubZLN7R3iyiPExWHE2PAIGrIe3EV:CBuZrEUa4BBaps3zi4IIrIN

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Sets service image path in registry

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks for any installed AV software in registry

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Event Triggered Execution: Image File Execution Options Injection

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks