General
-
Target
TotalAV 3.exe
-
Size
37.3MB
-
Sample
241020-z5cfka1ang
-
MD5
c1f8d9e8bfa15bbf39bab6682e763dbe
-
SHA1
ee856497da29745ec76e44bee935c5b424601e8f
-
SHA256
92cab6e03f3f45e5ccab73f604cb9618d2036393be00e374b3bc2e59fa96faf0
-
SHA512
1b5adf377295f345aa869d9d9187f22569ea1ae5745674241cd660beeb71a21bdd0489adfe0195cd0d8e58d25dd0a3c3ba39867a0125b90e5c45a94173d894d9
-
SSDEEP
786432:o3on1HvSzxAMN9FZArYsKptPvmcB7OZxuc:oYn1HvSpN9XmWpljc
Static task
static1
Behavioral task
behavioral1
Sample
TotalAV 3.exe
Resource
win7-20240903-en
Malware Config
Targets
-
-
Target
TotalAV 3.exe
-
Size
37.3MB
-
MD5
c1f8d9e8bfa15bbf39bab6682e763dbe
-
SHA1
ee856497da29745ec76e44bee935c5b424601e8f
-
SHA256
92cab6e03f3f45e5ccab73f604cb9618d2036393be00e374b3bc2e59fa96faf0
-
SHA512
1b5adf377295f345aa869d9d9187f22569ea1ae5745674241cd660beeb71a21bdd0489adfe0195cd0d8e58d25dd0a3c3ba39867a0125b90e5c45a94173d894d9
-
SSDEEP
786432:o3on1HvSzxAMN9FZArYsKptPvmcB7OZxuc:oYn1HvSpN9XmWpljc
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1