Overview

overview

10

Static

static

10

microsoft-...er.exe

windows7-x64

7

microsoft-...er.exe

windows10-2004-x64

8

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...up.ps1

windows7-x64

6

$PLUGINSDI...up.ps1

windows10-2004-x64

6

$PLUGINSDI...to.dll

windows7-x64

3

$PLUGINSDI...to.dll

windows10-2004-x64

3

$PLUGINSDI...le.ps1

windows7-x64

3

$PLUGINSDI...le.ps1

windows10-2004-x64

3

$PLUGINSDI...w2.ps1

windows7-x64

3

$PLUGINSDI...w2.ps1

windows10-2004-x64

8

$PLUGINSDI...es.ps1

windows7-x64

3

$PLUGINSDI...es.ps1

windows10-2004-x64

3

$PLUGINSDI...up.exe

windows7-x64

8

$PLUGINSDI...up.exe

windows10-2004-x64

8

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...es.ps1

windows7-x64

3

$PLUGINSDI...es.ps1

windows10-2004-x64

3

$PLUGINSDI...us.rtf

windows7-x64

4

$PLUGINSDI...us.rtf

windows10-2004-x64

1

$PLUGINSDI...cn.rtf

windows7-x64

4

$PLUGINSDI...cn.rtf

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    microsoft-pc-manager-1.2.4.5-installer.exe

  • Size

    5.7MB

  • Sample

    241101-yxrpvawnbl

  • MD5

    09c62056246cb38e9a5ac5f8117dbd87

  • SHA1

    f617b7b47d38df383ffd9c1a801583748d43729a

  • SHA256

    d9fb85fd9897d95fc6d51143d613b1c073b7424f67e6dbd9f80014ebcccc7be4

  • SHA512

    cdda0c64c2a1b7a2c7d5ff02738be7b36b5a528891f7d0a5de15dc259e8c79d1514e31a0679dfeb35c1027eb8ec4f3e3b1b4ae010103488201a642bb07692f00

  • SSDEEP

    98304:wiLNQbaAEQQe8IMkG6xe8E8dk4BmQQgK5YOTFmFa0vfnG9gDTOuQp1zQVhO++Fj3:wipQbKVcVgJ5T6G98auQMhf0u6

Score
10/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalation

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://aka.ms/WMOnlineZip10000

Targets

    • Target

      microsoft-pc-manager-1.2.4.5-installer.exe

    • Size

      5.7MB

    • MD5

      09c62056246cb38e9a5ac5f8117dbd87

    • SHA1

      f617b7b47d38df383ffd9c1a801583748d43729a

    • SHA256

      d9fb85fd9897d95fc6d51143d613b1c073b7424f67e6dbd9f80014ebcccc7be4

    • SHA512

      cdda0c64c2a1b7a2c7d5ff02738be7b36b5a528891f7d0a5de15dc259e8c79d1514e31a0679dfeb35c1027eb8ec4f3e3b1b4ae010103488201a642bb07692f00

    • SSDEEP

      98304:wiLNQbaAEQQe8IMkG6xe8E8dk4BmQQgK5YOTFmFa0vfnG9gDTOuQp1zQVhO++Fj3:wipQbKVcVgJ5T6G98auQMhf0u6

    Score
    8/10
    discoveryexecution

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/BgWorker.dll

    • Size

      2KB

    • MD5

      33ec04738007e665059cf40bc0f0c22b

    • SHA1

      4196759a922e333d9b17bda5369f14c33cd5e3bc

    • SHA256

      50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

    • SHA512

      2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/CheckWebView2Setup.ps1

    • Size

      14KB

    • MD5

      396fa0632c434d7732b7cecc3c66ab9f

    • SHA1

      7292a1159c71768eb4966206ffac1d62e8996d9f

    • SHA256

      20325423105ec58a2865a65a6a0da763e366447e8b7d40923ef76fbe6b644913

    • SHA512

      1a14771d2b23d278e000f2b824787b4d27ba6bb9d315a91d7cc2e0ec65ae0fd4fd96852442b3c67f528e5ce3e95d02108da3984e6e293b134a206a4ee8638982

    • SSDEEP

      384:l1BTN6hEfVJzQS8DAppYUOCOegmuDzNV25FmcmBk5ET1Gb2Zt4J3xhsXQF:l1BTrdJcS8DAkXCzu/NV25FmcmBRGatY

    Score
    6/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/Crypto.dll

    • Size

      3KB

    • MD5

      59b7a89dbff790d69e01409dbc2a2788

    • SHA1

      4ebbee3ebb35add8c1a0e436a4e4c9c5ba47c02a

    • SHA256

      17b9038e66f3f45c4e775b32ad1bf076812d1ca4149198b47f4e0eda416859b1

    • SHA512

      c202034bfbb7aca777326e7fb336e977e79cd9ba3bc7c17e5b6ec9c0222f6df2e1675b7d6bcb3de04a84e6226b193a5e0b81af950bc659fab83d12cd2fb84c04

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/GenericModule.psm1

    • Size

      14KB

    • MD5

      ceb4eff5d4d42706cc5271dce037b695

    • SHA1

      c83a1864ffdf9a744fc1f9bbde3680a53445c4b5

    • SHA256

      76e56d313c7fcde83c777c70abe0a898836042bf8ba1ea78db70aa2e9b411da6

    • SHA512

      81f6df3dd939d6040ac034317aa1c56ff164695e9d3fa601b0679cb23faf804711e37f5263d3d74b48ac95948dfe1d619a07463bb503797cc10765a43df9c4d5

    • SSDEEP

      384:Ke8RBJiaz+DS8jnxmIdTt8LAHyZfw1kfX7yaC24hjfR1:P8RBJJ+G8jxmIdBTcfUkfX7yC4RfR1

    Score
    3/10
    execution
    behavioral10behavioral9

    • Target

      $PLUGINSDIR/InstallWebView2.ps1

    • Size

      16KB

    • MD5

      050ea46fcb4c35a80f5dc8ed7ea7d8d8

    • SHA1

      e85bc41d4db9f68edf2cefdc4c77c39fe0138be5

    • SHA256

      52a0b7b59065c42767d872a439b30191508e658b5b0573c563bacb394deaeb34

    • SHA512

      639012efb3f7e38d7e1d67431bafdec20627c515cce34874b77a4fd76d6e18cd2d5c3490e79d5a91fa014fc98bfbabd320abc230fe1ca896ef01b7c1692876f5

    • SSDEEP

      384:k5Is9QuJ7BJiaz+DS8opSBf4orpec1ZVWw2Z2qSIN6bSE1DtmtQA:mIs9Q4BJJ+G8oMd4orpecpWwTql6P1DE

    Score
    8/10
    executiondiscoverypersistenceprivilege_escalation

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral11behavioral12

    • Target

      $PLUGINSDIR/ListProcesses.ps1

    • Size

      14KB

    • MD5

      57964b962800cdd0eff14c637b429936

    • SHA1

      85a53025f0e55e2f2d92ee475c4a214243dcac32

    • SHA256

      be9aeea675407a2f82caab9b7094edff957c85ff4206c0fc9eb022a087cb7929

    • SHA512

      3a707cf90348c70a75ee343570a7f218710ea79bc71d05749eb0af470a68aeafedaa2829727b2b1128317a88b59cf3cbbffebc84544cf94f64d94d1b45df8ffc

    • SSDEEP

      384:RBTN6hEfVJzQS8DAppYUOCOevmA9S0N5pO6/2XhwlCNYEFdrQfGYo:RBTrdJcS8DAkXC6A9SapO429YHk

    Score
    3/10
    execution
    behavioral13behavioral14

    • Target

      $PLUGINSDIR/MicrosoftEdgeWebview2Setup.exe

    • Size

      1.8MB

    • MD5

      c56905370fd00d80e6c87146b2b79043

    • SHA1

      366288994801930c7748750811db9e9ce2b5295b

    • SHA256

      7229ef4aff277a824fcd6db51a8df25a1daa638071b469cdde256d50e033e61e

    • SHA512

      8b22b4331c632d63164664b90f6d26c0da0c27c877010a5f5d7a5c3cdd350661b1a2dbbf92c451e9393b379eb9d6054d4e528674957c8fc820f1c1a9459eb8c0

    • SSDEEP

      49152:tyE3dWqT2eiYDKHAdpnrjAMjx2jA0GnvNyL3s0xK:ty3qT2huprsQr02vNyL3s0xK

    Score
    8/10
    defense_evasiondiscoverypersistenceprivilege_escalation

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      $PLUGINSDIR/ShellExecAsUser.dll

    • Size

      43KB

    • MD5

      552cba3c6c9987e01be178e1ee22d36b

    • SHA1

      4c0ab0127453b0b53aeb27e407859bccb229ea1b

    • SHA256

      1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

    • SHA512

      9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

    • SSDEEP

      768:SA49ATJ9ONLkh9J5lDYDzG8yVAf7hiJFkkAqnTEDlV4vihdk:SA4CJ9OFpXf0AfNiTkIMrhdk

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      107KB

    • MD5

      be84a0642fb2bf1fd2443f22e30b573d

    • SHA1

      264ac226e34f96121682c0fe2f4aecbee4cc2d62

    • SHA256

      b9d8acb84b97daf7914adbaf1ec7662857b361bed350f469a41dc94770eb9c33

    • SHA512

      0fcc75770b201fed43a79a38babd9b0bfaec92bf910767eef9a00e7cfaca440368d1b16af7bcd2bf2e708dfbfe9a9076280054982039e455109b68f71071a58b

    • SSDEEP

      1536:ZNx0+EWEEjo+riJcdu+Oz6x8zUqIbVLf8+iIKoYbGuB3wS633386Phmy:Z2Ejhi3hzm8zyuu+3wdHHZmy

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bf712f32249029466fa86756f5546950

    • SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    • SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    • SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    • SSDEEP

      192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      c7ce0e47c83525983fd2c4c9566b4aad

    • SHA1

      38b7ad7bb32ffae35540fce373b8a671878dc54e

    • SHA256

      6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

    • SHA512

      ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

    Score
    3/10
    discovery
    behavioral23behavioral24

    • Target

      $PLUGINSDIR/WinShell.dll

    • Size

      3KB

    • MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

    • SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

    • SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    • SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

    Score
    3/10
    discovery
    behavioral25behavioral26

    • Target

      $PLUGINSDIR/downloadAndExtractFiles.ps1

    • Size

      18KB

    • MD5

      44278d7335e42a7137b70b2ee3c2c1db

    • SHA1

      2f48a4b0e81173840a828c46b0311623cc427682

    • SHA256

      8783dbdc05ebdd6a08c11e6c705ff9f4808d55eddb0132db85dcac38029bbbf9

    • SHA512

      364f5d9b665574379b01779785d4b897568b8ef95fce282b82b875e5d2c538ec7c8ec5d26c70e272b02bcf90d8c038131bd3a095eb71dc25a76eef99347ad736

    • SSDEEP

      384:CvmL9z5S/MBJiaz+DS8UmoaJ7J1qy+3gTdkhuWUJrJVBXRAIL:Mkz5SEBJJ+G8UzQ7J0F3gTCshXRAIL

    Score
    3/10
    execution
    behavioral27behavioral28

    • Target

      $PLUGINSDIR/licenses/license_en_us.rtf

    • Size

      83KB

    • MD5

      c5c97ce6cbb8ae5319a9ae3927242750

    • SHA1

      09685588a390fafe51e745fad6a0e1efad29fd0b

    • SHA256

      28c0d0ba3e0c3f018706891900c413c1b56c6c1e59c5b5aaa64f189060b480f8

    • SHA512

      fd21eed9fd23f08197e70cad0949429b4485487bc26985a4a6b8291bfa349f40372aa5c12497e0ce06c1878e8cb461b1ee903c26f0dd1241374e38bd79d4bb23

    • SSDEEP

      768:SPvqF1VFs+k96ou5dA1Yct+MKSJuidUou5cbQ+k96ou5CbQ2k96ou5bbQ+k96ous:SPYVBYuVcEsTPVbEtk

    Score
    4/10
    discovery
    behavioral29behavioral30

    • Target

      $PLUGINSDIR/licenses/license_zh_cn.rtf

    • Size

      138KB

    • MD5

      bd422d6c6fded008a646666494e5d978

    • SHA1

      4e6ad157af0de141e05fc29db67ff33313311aa3

    • SHA256

      37d4fe0a041c4b15b4f3cf8867f435948d682545e4fb39db3b9d7483a35ff58a

    • SHA512

      62efe9f3e7ff8c43939f76ca9659a59fabfc9f194117b798f2632e4bdcda827001864fc7358dc9cce94ad5d719b531f075146a163c7cc2f0ce2a9661074d0de7

    • SSDEEP

      768:sb1pQy3Bo8jI96ou5pS+k96ou50SKw5Avgt6aJaIDK4lJwI/j+ou59S+k96ou5uD:sb730DocIRDwiAUjSdLOaVTz2LHt

    Score
    4/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

Score
10/10

behavioral1

discoveryexecution
Score
7/10

behavioral2

discoveryexecution
Score
8/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

execution
Score
6/10

behavioral6

execution
Score
6/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

execution
Score
3/10

behavioral10

execution
Score
3/10

behavioral11

execution
Score
3/10

behavioral12

discoveryexecutionpersistenceprivilege_escalation
Score
8/10

behavioral13

execution
Score
3/10

behavioral14

execution
Score
3/10

behavioral15

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral16

discoverypersistenceprivilege_escalation
Score
8/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

execution
Score
3/10

behavioral28

execution
Score
3/10

behavioral29

discovery
Score
4/10

behavioral30

Score
1/10

behavioral31

discovery
Score
4/10

behavioral32

Score
1/10