Overview

overview

10

Static

static

10

Kodak.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Kodak.rar

  • Size

    6.7MB

  • Sample

    241103-dl9q3awmcr

  • MD5

    30ca2aebb61d8e8934595e95939b9fa9

  • SHA1

    e3718f85901bb8360c8675c1cf2ce470d9251488

  • SHA256

    886bef3e6f5c4b49c18f71bf88bbb5f1c5ab6addab24d4a8b59b13dbb0c28d7e

  • SHA512

    2c62ab6f5c9f8a6e8d56efc90dc53ae514740873c94143541481d59b14d4d5113fa034ae493856cd514161f986eb7fb635404377235e12f4fea35ae89e595a5a

  • SSDEEP

    98304:daRp3KKdJYy6tqUS44prOjlG7e7yQpexUPCFvx5MZjvILU5iWX5elp6eeQYh3M3N:daT5dKHS4XjA6LEBMZboU3QpkdtuHmRE

Score
10/10
blankgrabbercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Targets

    • Target

      Kodak.exe

    • Size

      21.0MB

    • MD5

      91d4be68d8832004ca15d8e6d0114b22

    • SHA1

      138544d3e164698c6197be77fc228842c4dd7143

    • SHA256

      30a19bb2be93115840fc77eeb6390d2a6f6ab9d5c1fd6d35a7914e7593f2c457

    • SHA512

      3522355944dfdb944d7bef6373316ce729b22b025ebad4ac562d5de8012b6ad7a0bc6de85f284e69d4993363a4bcedac75def455692d1c27140825920397ccfb

    • SSDEEP

      98304:PwvkwN+MdA5wqSnWn8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DovaDJ1n6hB0F:PCV1vHB6ylnlPzf+JiJCsmFMvln6hqgE

    Score
    8/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks