Resubmissions

19-10-2024 11:46

241019-nxh3lawepj 10

19-10-2024 11:42

241019-nvc4kathmg 7

19-10-2024 11:38

241019-nrspvawcnp 10

19-10-2024 11:33

241019-nnzc8atfla 10

19-10-2024 11:27

241019-nkpplswakl 10

19-10-2024 11:23

241019-nhfnxsvhmk 10

19-10-2024 11:11

241019-najevashqf 10

19-10-2024 11:07

241019-m762qssgph 3

General

  • Target

    6812964531.exe

  • Size

    67KB

  • Sample

    241019-nxh3lawepj

  • MD5

    7de65122a13ab9d81368ee3dff3cc80a

  • SHA1

    ecbb4db641431d4d672e4b88e8d309419fd32f04

  • SHA256

    a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123

  • SHA512

    b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401

  • SSDEEP

    1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj

Malware Config

Targets

    • Target

      6812964531.exe

    • Size

      67KB

    • MD5

      7de65122a13ab9d81368ee3dff3cc80a

    • SHA1

      ecbb4db641431d4d672e4b88e8d309419fd32f04

    • SHA256

      a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123

    • SHA512

      b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401

    • SSDEEP

      1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj

    • Detect Neshta payload

    • Detect Umbral payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • UAC bypass

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Disables Task Manager via registry modification

    • Event Triggered Execution: Image File Execution Options Injection

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks