Overview

overview

10

Static

static

10

pluto/pluto.bat

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pluto.zip

  • Size

    210.0MB

  • Sample

    241102-nfzn1ssfpf

  • MD5

    4943513c737290664bf9e9cd10f2ea47

  • SHA1

    5bf02c8ae14b7febfb0031796b7d0eefa8d872a4

  • SHA256

    8f33c040e462aac84c005722c14ab107c0fd75353b321b0ecfca2b7191a5eaf9

  • SHA512

    1a926f355f3a8592fc60fc0fae37762bcd987af5c54a7eee3ed1f5c18faef4e18143d7849f95e2402d663a06c2934df074ddaa479860030de97a8ec4946a9e87

  • SSDEEP

    6291456:4dtAQEVWy3S/kubKPmDZe9QmAQEVWy3S/kubKPmDZe9Qf:mAQEU/fSmDcCmAQEU/fSmDcCf

Score
10/10
pysilondiscoveryevasionexecutionpersistencepyinstaller

Malware Config

Targets

    • Target

      pluto/pluto.bat

    • Size

      4KB

    • MD5

      0f4c02937476b25ba6478bc6873302b9

    • SHA1

      6d95d02e4eff5d70495635cb6e9cdb73480aeeb5

    • SHA256

      a2ead1a17c3d6e75f536e73ac27bed4e7d35b4d33820cc82408fe1fe16938680

    • SHA512

      c46e34da9791e5e86479a680550a7391b1681e111d20bd22f551a86dba177fccf1701ac8d1bdd3dbf6bd53c1e97c8d62f246f53e5309a2e3cba821bd7a954ce7

    • SSDEEP

      96:9+SMH9QJ5PJI2g/8ENEqE3EaE7EREdErEZENEpEzE7EjElEzEqLj:0SMH9QJ5PJI2HENEqE3EaE7EREdErEZG

    Score
    9/10
    discoveryevasionexecutionpersistence

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

File and Directory Discovery

1
T1083

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks