General

  • Target

    9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6

  • Size

    6.8MB

  • Sample

    241117-s8prqstbpp

  • MD5

    eeaecc3b9fbf9b4c73121003d75375bb

  • SHA1

    4ccf75ba953cf9eeef0a682fc9d39e52787288aa

  • SHA256

    9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6

  • SHA512

    76ee0da02ab562709743a81e03bfaf277446ee2393cbe1e20c967434c85c34756031680283cfd0c356538494adbb158a01200c7749568cab0c5a59267faf6650

  • SSDEEP

    196608:3P+jtixYCSOXEwnExyzjbDFAswiaJxvmk0D:3P+8xlreujbRA7/xe

Malware Config

Targets

    • Target

      9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6

    • Size

      6.8MB

    • MD5

      eeaecc3b9fbf9b4c73121003d75375bb

    • SHA1

      4ccf75ba953cf9eeef0a682fc9d39e52787288aa

    • SHA256

      9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6

    • SHA512

      76ee0da02ab562709743a81e03bfaf277446ee2393cbe1e20c967434c85c34756031680283cfd0c356538494adbb158a01200c7749568cab0c5a59267faf6650

    • SSDEEP

      196608:3P+jtixYCSOXEwnExyzjbDFAswiaJxvmk0D:3P+8xlreujbRA7/xe

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks