General

  • Target

    FULL-TWEAK-BY-3NTR.exe

  • Size

    673KB

  • Sample

    241102-qegg6avelg

  • MD5

    6e08cf02e3e669bad17794ecd4cfb990

  • SHA1

    d60ce2339119b4f5e660cd82fca8b5b51ca485fb

  • SHA256

    ec2505b33c14e27c5304466ad308fb5ab3fe68c2724176827dc556d94b83a1ed

  • SHA512

    b40055db4fe33a27c3cbc3cb49d79650f661b52ecee10c2b773ab1bcd33e2324e712bc7c41633593cf0835da6934d404068400a98a9919b37b92ee96f0e50ead

  • SSDEEP

    12288:etwbzn0ninE1QLvDrxKrSm/VE7M3Ktjm+EN:eINEOrr4Sm/VE7M64zN

Malware Config

Targets

    • Target

      FULL-TWEAK-BY-3NTR.exe

    • Size

      673KB

    • MD5

      6e08cf02e3e669bad17794ecd4cfb990

    • SHA1

      d60ce2339119b4f5e660cd82fca8b5b51ca485fb

    • SHA256

      ec2505b33c14e27c5304466ad308fb5ab3fe68c2724176827dc556d94b83a1ed

    • SHA512

      b40055db4fe33a27c3cbc3cb49d79650f661b52ecee10c2b773ab1bcd33e2324e712bc7c41633593cf0835da6934d404068400a98a9919b37b92ee96f0e50ead

    • SSDEEP

      12288:etwbzn0ninE1QLvDrxKrSm/VE7M3Ktjm+EN:eINEOrr4Sm/VE7M64zN

    • Disables service(s)

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Disables taskbar notifications via registry modification

    • Possible privilege escalation attempt

    • Server Software Component: Terminal Services DLL

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Modifies system executable filetype association

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks