General
-
Target
Defender.exe
-
Size
101.7MB
-
Sample
241124-tyc6matrhl
-
MD5
4639f7017af991701fff3d146503e89a
-
SHA1
fa01f0919cfcc14ce13f10ef788525117f7972da
-
SHA256
9aba31cd70bb74c0a15d8776f6f513680447a6982eb9f0a56bb0d1e12bba8428
-
SHA512
62d77a2396abe0b8de36537d13524f1d098e6bde1cbc574900a1c2c470e9ab902d63d332669586d9b4f2a4fefe9e7da4f9a53b5644a79eb28db53e90c35f9408
-
SSDEEP
3145728:U4i5r79S6xjKcBaNJ2qHO5i29enGUDd+mA28NFnmSkkr8:Ap5SWNaNPHCi2uzA28NxF
Malware Config
Targets
-
-
Target
Defender.exe
-
Size
101.7MB
-
MD5
4639f7017af991701fff3d146503e89a
-
SHA1
fa01f0919cfcc14ce13f10ef788525117f7972da
-
SHA256
9aba31cd70bb74c0a15d8776f6f513680447a6982eb9f0a56bb0d1e12bba8428
-
SHA512
62d77a2396abe0b8de36537d13524f1d098e6bde1cbc574900a1c2c470e9ab902d63d332669586d9b4f2a4fefe9e7da4f9a53b5644a79eb28db53e90c35f9408
-
SSDEEP
3145728:U4i5r79S6xjKcBaNJ2qHO5i29enGUDd+mA28NFnmSkkr8:Ap5SWNaNPHCi2uzA28NxF
Score9/10-
Enumerates VirtualBox DLL files
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Virtualization/Sandbox Evasion
1