General

  • Target

    植物大战僵尸杂交版v2.6.1安装程序.exe

  • Size

    102.4MB

  • Sample

    241111-11t1gsxgra

  • MD5

    98849e138ab6156ba18cb20db32bc2ac

  • SHA1

    676b47bd3be7d47c96327194d7a70d5fbae48b24

  • SHA256

    ffc7f1f83525fff84f63a0074b769bc7005a0e9610e7ce1b81013cb1b3c7228a

  • SHA512

    ed342f015b9442b1fedf8053292935519e90cfc065531766a0647431516ff48eeef23ed8b60b0fc3b9b450cbf2e105a7c71a592e095a0497512e475f1ebc5e95

  • SSDEEP

    1572864:48kRu3M0FLfwREdnoPdk9DRqXblGRbMccLFiy2p1NMPcJbfa2RA30uOROr8+CuvQ:4/GMKf9n2dk4hccsy2NC6bS2FuORFfoC

Malware Config

Targets

    • Target

      植物大战僵尸杂交版v2.6.1安装程序.exe

    • Size

      102.4MB

    • MD5

      98849e138ab6156ba18cb20db32bc2ac

    • SHA1

      676b47bd3be7d47c96327194d7a70d5fbae48b24

    • SHA256

      ffc7f1f83525fff84f63a0074b769bc7005a0e9610e7ce1b81013cb1b3c7228a

    • SHA512

      ed342f015b9442b1fedf8053292935519e90cfc065531766a0647431516ff48eeef23ed8b60b0fc3b9b450cbf2e105a7c71a592e095a0497512e475f1ebc5e95

    • SSDEEP

      1572864:48kRu3M0FLfwREdnoPdk9DRqXblGRbMccLFiy2p1NMPcJbfa2RA30uOROr8+CuvQ:4/GMKf9n2dk4hccsy2NC6bS2FuORFfoC

    • Modifies WinLogon for persistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Sets service image path in registry

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      install.png

    • Size

      4KB

    • MD5

      cb42261cca6e4bdffca61ea42965d2a4

    • SHA1

      b7eb72605c950978b9f1ead2806f7877771a0c85

    • SHA256

      419e3ebca34426260b3b116ae0d4975b59d08b93ffaa03290d443e48b77fb5c2

    • SHA512

      670be9e374bcf0cd00fc92d2087944734f081362b9f6c0471a5f5eaa6ca3f79e76464588eeab8d9e93c7b4f608c42998ff8426faa0653fc9482a8969a4519d72

    • SSDEEP

      96:IStwknmWp80RcY1HiyrwLQiudwkj3uD6p0S:ISeknjn1XwpLkj+Wpj

    • Modifies WinLogon for persistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks