General

  • Target

    decrypt.exe

  • Size

    26.9MB

  • Sample

    241109-14rdrstcrf

  • MD5

    2de15ff961b37e8c4adbeb98d2f3e63b

  • SHA1

    1fd0e9440e5c231c61061a03ed6770eebf2ebd47

  • SHA256

    deb17b39d8bfb61c95dabdce0ad4b2000647557f8b3d678a34bc135707f5dc16

  • SHA512

    186a41dd0a19d5aa202e4a7ae7979424aa7a90c9e59216fcfe04543fb8baed31526bd2c3bf39bbf194fe8c4cee175c4183be7cb3d0834a190b59bb335415431d

  • SSDEEP

    393216:Twe0JBz55GfnxPu5fTXgVRqB3Cx/+q9ePqiOpINHI3Z+GdwQSiLEOAa7F7wx/Fqn:ke0JBzmxmVEI+p+GGQVIOAUu4v5h

Malware Config

Targets

    • Target

      decrypt.exe

    • Size

      26.9MB

    • MD5

      2de15ff961b37e8c4adbeb98d2f3e63b

    • SHA1

      1fd0e9440e5c231c61061a03ed6770eebf2ebd47

    • SHA256

      deb17b39d8bfb61c95dabdce0ad4b2000647557f8b3d678a34bc135707f5dc16

    • SHA512

      186a41dd0a19d5aa202e4a7ae7979424aa7a90c9e59216fcfe04543fb8baed31526bd2c3bf39bbf194fe8c4cee175c4183be7cb3d0834a190b59bb335415431d

    • SSDEEP

      393216:Twe0JBz55GfnxPu5fTXgVRqB3Cx/+q9ePqiOpINHI3Z+GdwQSiLEOAa7F7wx/Fqn:ke0JBzmxmVEI+p+GGQVIOAUu4v5h

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks