Resubmissions

20/11/2024, 07:25

241120-h8x31ayjfm 8

20/11/2024, 07:21

241120-h66x5atlbw 8

10/11/2024, 05:39

241110-gcfcmszpcv 7

08/11/2024, 14:16

241108-rk66fateqm 9

03/11/2024, 22:20

241103-19b62avnhz 10

03/11/2024, 19:28

241103-x6mltasbqf 7

02/11/2024, 18:12

241102-wtak2ssamm 7

02/11/2024, 16:37

241102-t45stszdrj 7

02/11/2024, 08:58

241102-kxfexssqem 10

02/11/2024, 07:51

241102-jpyqvs1drm 3

General

  • Target

    Bootstrapper.exe

  • Size

    800KB

  • Sample

    241108-rk66fateqm

  • MD5

    2a4dcf20b82896be94eb538260c5fb93

  • SHA1

    21f232c2fd8132f8677e53258562ad98b455e679

  • SHA256

    ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

  • SHA512

    4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

  • SSDEEP

    12288:t0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0z:O5vgHWjTwAlocaKjyyItHDz

Malware Config

Targets

    • Target

      Bootstrapper.exe

    • Size

      800KB

    • MD5

      2a4dcf20b82896be94eb538260c5fb93

    • SHA1

      21f232c2fd8132f8677e53258562ad98b455e679

    • SHA256

      ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

    • SHA512

      4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

    • SSDEEP

      12288:t0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0z:O5vgHWjTwAlocaKjyyItHDz

    • Modifies boot configuration data using bcdedit

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Sets service image path in registry

    • A potential corporate email address has been identified in the URL: [email protected]

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks