Overview

overview

10

Static

static

1

New-EXE/ha...ly.exe

windows7-x64

3

New-EXE/ha...ly.exe

windows10-2004-x64

10

New-EXE/ha...re.exe

windows7-x64

3

New-EXE/ha...re.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New-EXE.zip

  • Size

    171KB

  • Sample

    241119-m4a5wswank

  • MD5

    5540bc80b476c8510aa08bb07f9eab2a

  • SHA1

    e24bfe8f6e2971fbe7721a979cd191faa995b548

  • SHA256

    6b61a90ebc20baa1ee6ea5bc7c4b31c40531616c458b27d19511e4f57f5fbf67

  • SHA512

    c1705f27addd9cb32940ee78d2b754a8866b220c05ba3dceb1d5869104d7a65bd5a2e0961703c22912b49496c0f95f100b911e3f00acf10e3294d7dcc8f3a551

  • SSDEEP

    3072:HOA+8RMQAkdClTzvq1eW+k0UmiyH+ZmfCDTj1MMIbdPpiCjTz7j6:Nray1Z+kWcZ5T/IpRiCW

Score
10/10
defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      New-EXE/hardening-apply.exe

    • Size

      144KB

    • MD5

      7bbc288f509b422098217675c173aea1

    • SHA1

      03e89432aaf277af64032952388ec932fc234490

    • SHA256

      402b31c398f6497c5cfc24e9ddcda0239d9b8c688d2217f2c00260f5b1674e49

    • SHA512

      dd431b210fddc6ccc641dfaa8ae2fe3fdcee670dac93be03fbedaa1e6053ac5a85cbc7540808c25906d179847e7fc713a269d67e5c24d1edc714fb2a2ce3cf4f

    • SSDEEP

      3072:Ipvb7RV/8hhb3dLUK94IgqHniOSyaZoc7QNPnP9TBfWSCbXFwiepIO:o9VkhhrdYK94IgqHniOSyaZoc7QNPnPF

    Score
    10/10
    executiondefense_evasiondiscoveryevasionlateral_movementpersistenceprivilege_escalationtrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

      defense_evasionpersistenceprivilege_escalation

    • Modifies powershell logging option

      evasion

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

      discovery

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement
    behavioral1behavioral2

    • Target

      New-EXE/hardening-restore.exe

    • Size

      152KB

    • MD5

      b265f35aa5b05e01b939a610166c83ee

    • SHA1

      645e47cdc52481fbf267881bbf9626eca67c4696

    • SHA256

      446e8d0ef0fab6b2182b6c4feea580cf6a43ea59bdac1ee364b380bb5d596ede

    • SHA512

      a2e4c8aa4929c2c216b3c5225c5de9b8893a5b9e531f5979f1b5c01523eff364fc58367988e52a6db6a41ec77321513da665e2e474a5b199f24cb991df76c3d9

    • SSDEEP

      3072:wpvb7RV/8hhb3dLUK94IgqHniOSyaZoc7QNPnP9TBfWSi3CjTz7dTu:Q9VkhhrdYK94IgqHniOSyaZoc7QNPnPK

    Score
    10/10
    executiondefense_evasiondiscoveryevasionlateral_movementpersistenceprivilege_escalationtrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

      defense_evasionpersistenceprivilege_escalation

    • Modifies powershell logging option

      evasion

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

      discovery

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Password Policy Discovery

1
T1201

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Remote Services

2
T1021

Remote Desktop Protocol

1
T1021.001

SMB/Windows Admin Shares

1
T1021.002

Collection

Command and Control

Exfiltration

Impact

Tasks