Overview

overview

10

Static

static

1

Screenshot...26.png

windows10-ltsc 2021-x64

Screenshot...26.png

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Screenshot 2024-11-22 220626.png

  • Size

    462KB

  • Sample

    241122-rreprsslgt

  • MD5

    bed6dd625e3a7e838bcea5f3dce698b0

  • SHA1

    1254f3fdf4d78815c449d166b1c8f356f220d7c6

  • SHA256

    586431b613beb35df78653909e4cf25db717f1dc4b4d928e0e71f4453f9b4671

  • SHA512

    29c460e57c7e47fdf7f886bb1bc72b23079c1627619c6caaad3be003f76c937e9145e29f2ea109cab08802704a9ee01f6591ac65989a06a8bfab6d14809d70d6

  • SSDEEP

    12288:TknyRH3dbRMqql/tHX9Usc3HOLR5JTr7MrRW4E2rOKQ:TknudbQFX9c3HONXTPMcn2rOKQ

Score
10/10
adwaredefense_evasiondiscoveryevasionpersistenceprivilege_escalationstealer

Malware Config

Targets

    • Target

      Screenshot 2024-11-22 220626.png

    • Size

      462KB

    • MD5

      bed6dd625e3a7e838bcea5f3dce698b0

    • SHA1

      1254f3fdf4d78815c449d166b1c8f356f220d7c6

    • SHA256

      586431b613beb35df78653909e4cf25db717f1dc4b4d928e0e71f4453f9b4671

    • SHA512

      29c460e57c7e47fdf7f886bb1bc72b23079c1627619c6caaad3be003f76c937e9145e29f2ea109cab08802704a9ee01f6591ac65989a06a8bfab6d14809d70d6

    • SSDEEP

      12288:TknyRH3dbRMqql/tHX9Usc3HOLR5JTr7MrRW4E2rOKQ:TknudbQFX9c3HONXTPMcn2rOKQ

    Score
    10/10
    adwaredefense_evasiondiscoverypersistenceprivilege_escalationstealerevasion

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Browser Extensions

1
T1176

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Account Manipulation

1
T1098

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

4
T1112

Subvert Trust Controls

2
T1553

SIP and Trust Provider Hijacking

2
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks