General

  • Target

    K-Lite_Codec_Pack_1865_Mega.exe

  • Size

    63.2MB

  • Sample

    241117-rfh8ta1kbz

  • MD5

    fa8610aa129403c358d9682e8fee3795

  • SHA1

    3b681133c09e66b7245d1285278311e714d8e504

  • SHA256

    566093be23f590310ff2c10df3cd30e5e5446d721efb3db6f2cf424207cf2bba

  • SHA512

    07f26e4aa40b4abf6a90765774a9dc5c9c9740059645419f4ef850fb82d7a8b349ea160529712ce506541aef7b52a6c42a4492b028b2abfae3853aac312ee698

  • SSDEEP

    1572864:UguLeu8z2HiJfNevmYem9VXlPO0/0OIXWvHsHyMIF:Ug9z2HiJfUOY7LV/0UvGIF

Malware Config

Targets

    • Target

      K-Lite_Codec_Pack_1865_Mega.exe

    • Size

      63.2MB

    • MD5

      fa8610aa129403c358d9682e8fee3795

    • SHA1

      3b681133c09e66b7245d1285278311e714d8e504

    • SHA256

      566093be23f590310ff2c10df3cd30e5e5446d721efb3db6f2cf424207cf2bba

    • SHA512

      07f26e4aa40b4abf6a90765774a9dc5c9c9740059645419f4ef850fb82d7a8b349ea160529712ce506541aef7b52a6c42a4492b028b2abfae3853aac312ee698

    • SSDEEP

      1572864:UguLeu8z2HiJfNevmYem9VXlPO0/0OIXWvHsHyMIF:Ug9z2HiJfUOY7LV/0UvGIF

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks