General

  • Target

    c49a6d6259d7090608badcb4853eefb1be958577dc417ec124fa313c71f8c77fN.exe

  • Size

    9.4MB

  • Sample

    241113-a92tkssrez

  • MD5

    c783a3b20315ef5554b629946af2e450

  • SHA1

    d48a797b6186b0bda4bf4ba4b4981b8ebea17e07

  • SHA256

    c49a6d6259d7090608badcb4853eefb1be958577dc417ec124fa313c71f8c77f

  • SHA512

    332d04fa682e7b12d3d2df697fa9e2209ff0dffa99535d2860c87cb38d4c6598a16ab75bdba31fbc07b8b2b160145bbc2fb75327264c25b6074e66bcc301fbb0

  • SSDEEP

    6144:tSK/ymZ3ctTWQHf5ctj8jRi2WGKMSVT86JQPDHDdx/Qtqp:ue0TlHf55RShPJQPDHvd

Malware Config

Targets

    • Target

      c49a6d6259d7090608badcb4853eefb1be958577dc417ec124fa313c71f8c77fN.exe

    • Size

      9.4MB

    • MD5

      c783a3b20315ef5554b629946af2e450

    • SHA1

      d48a797b6186b0bda4bf4ba4b4981b8ebea17e07

    • SHA256

      c49a6d6259d7090608badcb4853eefb1be958577dc417ec124fa313c71f8c77f

    • SHA512

      332d04fa682e7b12d3d2df697fa9e2209ff0dffa99535d2860c87cb38d4c6598a16ab75bdba31fbc07b8b2b160145bbc2fb75327264c25b6074e66bcc301fbb0

    • SSDEEP

      6144:tSK/ymZ3ctTWQHf5ctj8jRi2WGKMSVT86JQPDHDdx/Qtqp:ue0TlHf55RShPJQPDHvd

    • Modifies WinLogon for persistence

    • UAC bypass

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks