General

  • Target

    93bc218fa7956dc4eb8d19f7fe8c8ebb2e0b60f06ff221bbab6e62b56fc94f6a

  • Size

    28.5MB

  • Sample

    241027-wj28baxres

  • MD5

    0fa34a970c3defa54dbc6b725e03b83d

  • SHA1

    44fa4a2d4d3fc9259fb03324eb390def62ff786a

  • SHA256

    93bc218fa7956dc4eb8d19f7fe8c8ebb2e0b60f06ff221bbab6e62b56fc94f6a

  • SHA512

    2ec36599bae79365cfb02edc475ca416b4cd85c9cf349b0cc548e145a10fb22b2fae5ce504e76725e6832028cda3fd6b2bec4adfb7dbf49738e952651a5b7e90

  • SSDEEP

    786432:yTCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH:y2EXFhV0KAcNjxAItj

Malware Config

Targets

    • Target

      93bc218fa7956dc4eb8d19f7fe8c8ebb2e0b60f06ff221bbab6e62b56fc94f6a

    • Size

      28.5MB

    • MD5

      0fa34a970c3defa54dbc6b725e03b83d

    • SHA1

      44fa4a2d4d3fc9259fb03324eb390def62ff786a

    • SHA256

      93bc218fa7956dc4eb8d19f7fe8c8ebb2e0b60f06ff221bbab6e62b56fc94f6a

    • SHA512

      2ec36599bae79365cfb02edc475ca416b4cd85c9cf349b0cc548e145a10fb22b2fae5ce504e76725e6832028cda3fd6b2bec4adfb7dbf49738e952651a5b7e90

    • SSDEEP

      786432:yTCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH:y2EXFhV0KAcNjxAItj

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Stops running service(s)

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • Impair Defenses: Safe Mode Boot

    • Modifies file permissions

    • Windows security modification

    • Adds Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks for any installed AV software in registry

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks