General

  • Target

    gta6.exe

  • Size

    55KB

  • Sample

    241029-v7yz5awnby

  • MD5

    aaff8d22681e8bdee3c3ba55007f673f

  • SHA1

    aa94b52ee5290629165387bb0e7bdf3600e7a073

  • SHA256

    512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb

  • SHA512

    7e097d80b931aaa992b47f76c01eaa7e13c95fcc9d62d0b899216e0309563f32a6b0cb609e4540d81f8a4d3590f7fa277c124d2d6430f9409cf8f5c43f15792a

  • SSDEEP

    1536:T4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNs2:T4dzVTaer344JzthRZijQ1Js

Malware Config

Targets

    • Target

      gta6.exe

    • Size

      55KB

    • MD5

      aaff8d22681e8bdee3c3ba55007f673f

    • SHA1

      aa94b52ee5290629165387bb0e7bdf3600e7a073

    • SHA256

      512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb

    • SHA512

      7e097d80b931aaa992b47f76c01eaa7e13c95fcc9d62d0b899216e0309563f32a6b0cb609e4540d81f8a4d3590f7fa277c124d2d6430f9409cf8f5c43f15792a

    • SSDEEP

      1536:T4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNs2:T4dzVTaer344JzthRZijQ1Js

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Modifies Windows Defender Real-time Protection settings

    • Modifies Windows Defender notification settings

    • Modifies firewall policy service

    • Modifies security service

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Boot or Logon Autostart Execution: Port Monitors

      Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Possible privilege escalation attempt

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Impair Defenses: Safe Mode Boot

    • Modifies file permissions

    • Modifies system executable filetype association

    • Adds Run key to start application

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks