Overview

overview

8

Static

static

3

64be2f3a38...ce.exe

windows7-x64

8

64be2f3a38...ce.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce

  • Size

    40.2MB

  • Sample

    241120-qwyg1axhpr

  • MD5

    a9a01bcaf4ffeddb26fd9fc79f0b57c4

  • SHA1

    becb33e475352ad604ea851038cec53d2d15b047

  • SHA256

    64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce

  • SHA512

    8ade168a430cbcd0375ff6f3a1d774b882d4bc55a03a1dc12839af2d7579dd1a8502e80e7f8a9aeac63321826299076536dfd03a0b2eca7210663235622a3dc9

  • SSDEEP

    786432:JmVqrMvDDbtNol33m04zcGnI2bAYs0MNYRNFF8SMEJUG/wwOc4:MVqovbtNol3zC1Nr8S5l/qc

Score
8/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationpyinstaller

Malware Config

Targets

    • Target

      64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce

    • Size

      40.2MB

    • MD5

      a9a01bcaf4ffeddb26fd9fc79f0b57c4

    • SHA1

      becb33e475352ad604ea851038cec53d2d15b047

    • SHA256

      64be2f3a38522ca4b5f4d7887cd5832363f00d1a07b8bb531424bf6e81939fce

    • SHA512

      8ade168a430cbcd0375ff6f3a1d774b882d4bc55a03a1dc12839af2d7579dd1a8502e80e7f8a9aeac63321826299076536dfd03a0b2eca7210663235622a3dc9

    • SSDEEP

      786432:JmVqrMvDDbtNol33m04zcGnI2bAYs0MNYRNFF8SMEJUG/wwOc4:MVqovbtNol3zC1Nr8S5l/qc

    Score
    8/10
    defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationpyinstaller

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Credential Access

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks