8bd8893f47bbc91bef5e7b9747ef4a7cf36c749a2c21c5af1e0dd297ddc20991 | Triage

Sharing

General

Target

Client.exe
Size

378KB
Sample

241121-h85svazlew
MD5

7b14a00f19e0fb39b84b37a9365d19ec
SHA1

c3bd379a385d4db71df719c25495aca101f3396d
SHA256

8bd8893f47bbc91bef5e7b9747ef4a7cf36c749a2c21c5af1e0dd297ddc20991
SHA512

a19ff44b31eed8a622c5e78a75c2d8132e2d29a051595e1d0fb9ab0b4f1144d561206ba3e8b3685903ff7c0dd85a2d979ce1548ff94a9da11a82aff614e01610
SSDEEP

6144:b0jZ/ce6pz9Jge6VlWT8b9qhlm23w3crW3rboZb:bYMpsPVle8YhLB/

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Targets

- Target
  
  Client.exe
- Size
  
  378KB
- MD5
  
  7b14a00f19e0fb39b84b37a9365d19ec
- SHA1
  
  c3bd379a385d4db71df719c25495aca101f3396d
- SHA256
  
  8bd8893f47bbc91bef5e7b9747ef4a7cf36c749a2c21c5af1e0dd297ddc20991
- SHA512
  
  a19ff44b31eed8a622c5e78a75c2d8132e2d29a051595e1d0fb9ab0b4f1144d561206ba3e8b3685903ff7c0dd85a2d979ce1548ff94a9da11a82aff614e01610
- SSDEEP
  
  6144:b0jZ/ce6pz9Jge6VlWT8b9qhlm23w3crW3rboZb:bYMpsPVle8YhLB/
Score

10^/10

evasion persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Disables Task Manager via registry modification
  evasion
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

AppInit DLLs

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

AppInit DLLs

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistenceprivilege_escalation