Overview

overview

8

Static

static

1

Visual Ser...er.rar

windows10-2004-x64

8

Visual Ser...er.rar

windows10-ltsc 2021-x64

1

Visual Ser...er.rar

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Visual Services Spoofer.rar

  • Size

    45.3MB

  • Sample

    241124-bxq2zsxkew

  • MD5

    bdf59ed18ba5cfe787ab94fdf50058b0

  • SHA1

    ca5d92b6d6b5fc64c7a87997f7dbf004caa02266

  • SHA256

    1a30aa1a7d5562799615d29430357d6bc8708d3ad1d0408ee09fbf3ce29846bd

  • SHA512

    e89cd12011196049af2bfd535f7977065c3877d2de8ac9523be51aa93d60b8a85ee1c548def14a700ef7a6afcfaa4ae5b6e15af94ed96c5c4047c4eb708a43ac

  • SSDEEP

    786432:Stsz65DqrK2OJMNetV5Ho5M71ngDvFpKVAz3HkO2HO30nQSgbkoGeeFmCIzGlGZ9:Sts2tEsMNetVBoq8pKCjHkO2Hy0nqWs9

Score
8/10
discoveryevasionexecutionexploitpersistenceprivilege_escalationpyinstallerspywarestealer

Malware Config

Targets

    • Target

      Visual Services Spoofer.rar

    • Size

      45.3MB

    • MD5

      bdf59ed18ba5cfe787ab94fdf50058b0

    • SHA1

      ca5d92b6d6b5fc64c7a87997f7dbf004caa02266

    • SHA256

      1a30aa1a7d5562799615d29430357d6bc8708d3ad1d0408ee09fbf3ce29846bd

    • SHA512

      e89cd12011196049af2bfd535f7977065c3877d2de8ac9523be51aa93d60b8a85ee1c548def14a700ef7a6afcfaa4ae5b6e15af94ed96c5c4047c4eb708a43ac

    • SSDEEP

      786432:Stsz65DqrK2OJMNetV5Ho5M71ngDvFpKVAz3HkO2HO30nQSgbkoGeeFmCIzGlGZ9:Sts2tEsMNetVBoq8pKCjHkO2Hy0nqWs9

    Score
    8/10
    discoveryevasionexecutionexploitpersistenceprivilege_escalationpyinstallerspywarestealer

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

3
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks