General
-
Target
Hone-Optimizer.exe
-
Size
7.7MB
-
Sample
241114-n2gqbssncp
-
MD5
baa9792a0bb9c8df5521b14e425dbe09
-
SHA1
1cf257b5c2ac3c84d468a3a6a3dbc846f7d50d5e
-
SHA256
07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65
-
SHA512
45e7285cbbddb8ed61d4a39a09f15b032d8e39534139e96fe81f522fd9a644e2461080ff861062a35f3dec517a55bf584683b17dc2381c6f683f09ae06a4a636
-
SSDEEP
98304:8VeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTbdk+QqnWv9JTSPhlVX:8AYmOshoKMuIkhVastRL5Di3tKb0SPJX
Malware Config
Targets
-
-
Target
Hone-Optimizer.exe
-
Size
7.7MB
-
MD5
baa9792a0bb9c8df5521b14e425dbe09
-
SHA1
1cf257b5c2ac3c84d468a3a6a3dbc846f7d50d5e
-
SHA256
07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65
-
SHA512
45e7285cbbddb8ed61d4a39a09f15b032d8e39534139e96fe81f522fd9a644e2461080ff861062a35f3dec517a55bf584683b17dc2381c6f683f09ae06a4a636
-
SSDEEP
98304:8VeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTbdk+QqnWv9JTSPhlVX:8AYmOshoKMuIkhVastRL5Di3tKb0SPJX
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Modifies boot configuration data using bcdedit
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1