General

  • Target

    Installer.exe

  • Size

    379KB

  • Sample

    241112-vr22vaxdkn

  • MD5

    e510cece47d51be80dacd878aa1da948

  • SHA1

    68f17bf7d4d1373f33c5feb775cc5de39f9b6b39

  • SHA256

    079687c4e1302522259c693fcd905bfcd9dfac0aa763bbc7cf22e89b732d8690

  • SHA512

    8c7cf0f1682e06c8938fb84fe2d6749acc8a045ddc716c99431d9f89215dc6fc9c959f582417e91dc4a870687d8a6ba5a5098ba959bdf91a0e8dc39492a69f74

  • SSDEEP

    6144:Fc8q8lBmdvjnKjBvrAU7ELe6VlWT8b9DFBUVFdl6grp1baMdt:FVqaBmYFvkLPVle8NFuBA

Malware Config

Targets

    • Target

      Installer.exe

    • Size

      379KB

    • MD5

      e510cece47d51be80dacd878aa1da948

    • SHA1

      68f17bf7d4d1373f33c5feb775cc5de39f9b6b39

    • SHA256

      079687c4e1302522259c693fcd905bfcd9dfac0aa763bbc7cf22e89b732d8690

    • SHA512

      8c7cf0f1682e06c8938fb84fe2d6749acc8a045ddc716c99431d9f89215dc6fc9c959f582417e91dc4a870687d8a6ba5a5098ba959bdf91a0e8dc39492a69f74

    • SSDEEP

      6144:Fc8q8lBmdvjnKjBvrAU7ELe6VlWT8b9DFBUVFdl6grp1baMdt:FVqaBmYFvkLPVle8NFuBA

    • Modifies WinLogon for persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks