Overview

overview

10

Static

static

1

SpywareTer...up.exe

windows10-2004-x64

10

Resubmissions

09-11-2024 01:51

241109-b9v7gavcmg 8

08-11-2024 22:41

241108-2l67ya1glj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SpywareTerminatorSetup.exe

  • Size

    8.8MB

  • Sample

    241108-2l67ya1glj

  • MD5

    c3a9452f054664daf4de1e246c485c20

  • SHA1

    e0185db4a5c5b7379a0eff099e39f0f56a18ba89

  • SHA256

    9f95bbe3fb28e4c290e869b40ae20dcd9db64071cda11a77a9313c0e13b55518

  • SHA512

    6438fb21aa223d354864b6ca14f42668007a17db718727266e54cd2b7f44e9924e51187b604cb7913dc550354114efc0b55834832f891ac6796a53abc928fca9

  • SSDEEP

    196608:59Xf8Of5m6QpeBh4BE8h1RipvU0SQ7pZ+nU8TjLkYJC:TXfvflGeX4BXr6vtH1AUI/7J

Score
10/10
hawkeyexmrigadwarecredential_accessdefense_evasiondiscoveryevasionexecutionimpactkeyloggerminerpersistencephishingprivilege_escalationransomwarespywarestealertrojan

Malware Config

Targets

    • Target

      SpywareTerminatorSetup.exe

    • Size

      8.8MB

    • MD5

      c3a9452f054664daf4de1e246c485c20

    • SHA1

      e0185db4a5c5b7379a0eff099e39f0f56a18ba89

    • SHA256

      9f95bbe3fb28e4c290e869b40ae20dcd9db64071cda11a77a9313c0e13b55518

    • SHA512

      6438fb21aa223d354864b6ca14f42668007a17db718727266e54cd2b7f44e9924e51187b604cb7913dc550354114efc0b55834832f891ac6796a53abc928fca9

    • SSDEEP

      196608:59Xf8Of5m6QpeBh4BE8h1RipvU0SQ7pZ+nU8TjLkYJC:TXfvflGeX4BXr6vtH1AUI/7J

    Score
    10/10
    hawkeyexmrigadwarecredential_accessdefense_evasiondiscoveryevasionexecutionimpactkeyloggerminerpersistencephishingprivilege_escalationransomwarespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Hawkeye family

      hawkeye

    • Modifies Windows Defender notification settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • XMRig Miner payload

      miner

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Contacts a large (1448) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • A potential corporate email address has been identified in the URL: [email protected]

      phishing

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Downloads MZ/PE file

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Program crash

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Browser Extensions

1
T1176

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Power Settings

1
T1653

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

8
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks