Overview

overview

6

Static

static

1

wps_lid.li...eh.exe

windows7-x64

6

wps_lid.li...eh.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wps_lid.lid-u4Utp3nDzdeh.exe

  • Size

    5.6MB

  • Sample

    241119-xf75tszema

  • MD5

    c5a5dd5767e25a5b21ccef63fcd9b6fb

  • SHA1

    10fb2dc473f56694adb854cd206664ffb2ff1f28

  • SHA256

    dc39b5d48b629a51131dfd3422aecce052d7d661cd943bddd9994ae15ce2db40

  • SHA512

    89beb8994a9b05077296e6bae00d3f22728fe7773efc53f5dc6204658abdb35d8a743cd77b646046bb36e004a7cd1c25e32e8a34ae16aa5ad8d127df84f4f577

  • SSDEEP

    98304:86pg+4qaSDRumxkEpMH1FkQmOnhTjqsaUODS4IeOsycwuv/guB/j:H5IS1FnpAvHZwiO2AOsRzgyj

Score
6/10
bootkitdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Targets

    • Target

      wps_lid.lid-u4Utp3nDzdeh.exe

    • Size

      5.6MB

    • MD5

      c5a5dd5767e25a5b21ccef63fcd9b6fb

    • SHA1

      10fb2dc473f56694adb854cd206664ffb2ff1f28

    • SHA256

      dc39b5d48b629a51131dfd3422aecce052d7d661cd943bddd9994ae15ce2db40

    • SHA512

      89beb8994a9b05077296e6bae00d3f22728fe7773efc53f5dc6204658abdb35d8a743cd77b646046bb36e004a7cd1c25e32e8a34ae16aa5ad8d127df84f4f577

    • SSDEEP

      98304:86pg+4qaSDRumxkEpMH1FkQmOnhTjqsaUODS4IeOsycwuv/guB/j:H5IS1FnpAvHZwiO2AOsRzgyj

    Score
    6/10
    bootkitdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks