General

  • Target

    00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exe

  • Size

    50KB

  • Sample

    241122-cfkpbaxran

  • MD5

    666248c216a3f63828f739839230f9f6

  • SHA1

    13690837235053762a538b4c5b2b601ec9f6bb22

  • SHA256

    00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da

  • SHA512

    37e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde

  • SSDEEP

    768:CT6n3V7i+V39HhHw98cje6O7UgYWE8knmbN8vnoK:7i+/BHw98cyoWE8ks8vnp

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language
hta
Source
URLs
hta.dropper

http://176.113.115.178/Windows-Update

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/1.png

Targets

    • Target

      00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exe

    • Size

      50KB

    • MD5

      666248c216a3f63828f739839230f9f6

    • SHA1

      13690837235053762a538b4c5b2b601ec9f6bb22

    • SHA256

      00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da

    • SHA512

      37e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde

    • SSDEEP

      768:CT6n3V7i+V39HhHw98cje6O7UgYWE8knmbN8vnoK:7i+/BHw98cyoWE8ks8vnp

    • Modifies security service

    • UAC bypass

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Sets service image path in registry

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks