General
-
Target
ProgramData.7z
-
Size
483KB
-
Sample
241023-e6ft6ashlm
-
MD5
0ba4849c44898e966a2e0d22c336da86
-
SHA1
db39171cb8c95a5717b11837418d4b1285ce4b6c
-
SHA256
9f19d03371f1d63949545bcc0e9c4e702a6e97c53b26a707957243496a5a34b1
-
SHA512
6390f46d585a52ab4567e657d6a33e5871128b4c072fd98844f994eb70571740f79d060c8c830890fd615354b52acab112cd8064c60f99e61df0e461b35028ad
-
SSDEEP
12288:0NbhIxRYVzFUKjk2BCYSRdNODeb0jLj6hOj63ayyQEy6YxdSFV:05+xRYVzFUEk25CdnE63ayyb2A
Malware Config
Extracted
Protocol: ftp- Host:
27.124.45.155 - Port:
21 - Username:
lz165404 - Password:
lz165404.
Targets
-
-
Target
XLSmartApp.exe
-
Size
1.1MB
-
MD5
1a832e5e1574fc6176dc960c6aea3a85
-
SHA1
5c1c7f2b66e72d62c3d658ed2f1155b0bb39e13c
-
SHA256
8f39b7064e9a22e60bd463009d9cf19323323110783a644dfb5bb40da9001aa4
-
SHA512
a32ce2b3b1ba332c55a806a6831405dabbdcf1901977db01e7806098cc54debf0abed74db52206287431a97b2ba9e655a6d99500dc91785085d913e8eb64c473
-
SSDEEP
24576:l7ltJMTh3o77d03Cr7204Zfy7mpG0fh0lhSMXlsJnggfMJt7sw:VltJr77dff20YfBGT0ggfwOw
Score10/10-
UAC bypass
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
libcurl64.dll
-
Size
134KB
-
MD5
8f3e91147e9880a0ce7c103ee1110f53
-
SHA1
4e7931b612419f0c0d7a5c43d47bdbe8dcf14baf
-
SHA256
8075d70fcfb6b376f01636452dc2d782a3f08564698c2313fbf03cc60268f404
-
SHA512
c213633375a1c7128a6b9f05c4791ecb5deaf2fe1aad76283e98af396fc3fe587d4d7fc29f2bebe962e9b0287a61ce2ea77e51b718cd27cbc4c95c2da399a2f6
-
SSDEEP
3072:Jf0QTRrlA3OgzrpFLITXa4j6eumRYQTyaMK/VM:iDhxea4j6sYKK
Score10/10-
Blocklisted process makes network request
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3