General

  • Target

    09718d571b01cb93e6f983be7b99a4b2.bin

  • Size

    53KB

  • Sample

    241031-bcxzssxjep

  • MD5

    8a4dc1e0e5cbe9510ac96fbcf9dc2ee7

  • SHA1

    70b050b2622be4ff932130b5b02f31fa50f11d01

  • SHA256

    452af9e4d51c8c42b148672ae0fee59159489cab80f446ca6e4fbd9de41e21ef

  • SHA512

    76b9b6f4c27889b0aebe524dacad57e0d0cb5e61258f36f601414f7831fc53123e608bff1cfb6872de22c70fd97fc8ea15f2b6cae10425fd6a0d9b4f535babca

  • SSDEEP

    768:TDini3SZYrHvhCmiJvWs6+UZw8QMBwPxm1LWmrd/4VAqRsUecpkKIPSZkqd1K7bi:inDKrHvNts60qquLTJ4VpOUBzL1KnwWy

Malware Config

Targets

    • Target

      6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169.exe

    • Size

      55KB

    • MD5

      09718d571b01cb93e6f983be7b99a4b2

    • SHA1

      d2d1212212bfc691e115b24e8132ae4658e510e8

    • SHA256

      6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169

    • SHA512

      9c7fad95ad56c1f457be067467886c7d23fa57734547688c64d16f37f3190cc017987278a2387b217e4a8108ac04d33b1fe5353cfb350717a839ecb6dd533098

    • SSDEEP

      1536:34dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNiPJ:34dzVTaer344JzthRZijQ1Ji

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Modifies firewall policy service

    • Modifies security service

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Boot or Logon Autostart Execution: Port Monitors

      Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Possible privilege escalation attempt

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Impair Defenses: Safe Mode Boot

    • Modifies file permissions

    • Modifies system executable filetype association

    • Adds Run key to start application

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks