21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4 | Triage

Sharing

General

Target

21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4
Size

64KB
Sample

241120-zn1rtssre1
MD5

87c3b910bb2e9f17682a4c59a0e46df2
SHA1

07ab8e3432a872cf77aba14e042c1bd64cecb1fb
SHA256

21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4
SHA512

d93372b3773db93db7793b9af1ac3f64037887d615f1e764a7658cf9e781fe9ad9662086fc4c184d646dbbd2f3265f71a4f8309d2bc6f8f691d4ecefa7d96325
SSDEEP

768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5XOwekflNuG777/+VS:V8w2VS9Eovn8KRgWmhZpX1QGwJ8w2VS

Score

10^/10

discovery evasion persistence

Malware Config

Targets

- Target
  
  21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4
- Size
  
  64KB
- MD5
  
  87c3b910bb2e9f17682a4c59a0e46df2
- SHA1
  
  07ab8e3432a872cf77aba14e042c1bd64cecb1fb
- SHA256
  
  21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4
- SHA512
  
  d93372b3773db93db7793b9af1ac3f64037887d615f1e764a7658cf9e781fe9ad9662086fc4c184d646dbbd2f3265f71a4f8309d2bc6f8f691d4ecefa7d96325
- SSDEEP
  
  768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5XOwekflNuG777/+VS:V8w2VS9Eovn8KRgWmhZpX1QGwJ8w2VS
Score

10^/10

discovery evasion persistence
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables cmd.exe use via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Change Default File Association

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Change Default File Association

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

discoveryevasionpersistence

behavioral2

discoveryevasionpersistence