General

  • Target

    4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd

  • Size

    7.1MB

  • Sample

    241111-vem26asapp

  • MD5

    f51696d3debb1a770199360b52416e78

  • SHA1

    ff3ec84759fe3071b61ac7b2824ee827b8465f06

  • SHA256

    4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd

  • SHA512

    4398232b39c094f0dc17eb88dde704ab1c0c8ed32c8c8190846c07b45be679c7a5f1c15cfde322d9c470f0282df6ea4875d40361b40c6f527c584e7122b83e58

  • SSDEEP

    98304:vNK/3005rMit6ZVYcEjOsEIQ2O9RhyUmi7bhjdBTfDiL2264dnQRlSEJUnR+/dji:VK8BWJjtlQ2vEhjyL16jRw6Q

Malware Config

Targets

    • Target

      4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd

    • Size

      7.1MB

    • MD5

      f51696d3debb1a770199360b52416e78

    • SHA1

      ff3ec84759fe3071b61ac7b2824ee827b8465f06

    • SHA256

      4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd

    • SHA512

      4398232b39c094f0dc17eb88dde704ab1c0c8ed32c8c8190846c07b45be679c7a5f1c15cfde322d9c470f0282df6ea4875d40361b40c6f527c584e7122b83e58

    • SSDEEP

      98304:vNK/3005rMit6ZVYcEjOsEIQ2O9RhyUmi7bhjdBTfDiL2264dnQRlSEJUnR+/dji:VK8BWJjtlQ2vEhjyL16jRw6Q

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks