596db0b26451c60e2e618dd98f126e3932e238baa0432867203f83df27debd03 | Triage

Sharing

General

Target

release_ZYEPDenPwGhK14H.rar
Size

29.4MB
Sample

241126-a746xsskdk
MD5

f5feb34e2a5c5f98d99bf419c3bf7095
SHA1

fe5164865b215081ab080eabbceb3ca7684a19f4
SHA256

596db0b26451c60e2e618dd98f126e3932e238baa0432867203f83df27debd03
SHA512

4d30fd23e77355ece63f20fd83b22b5f76bea7097e6f8ba9c18528b2abe98706a48aeb53dfd7b2aa1dcd8b0c4294b2bc4a2c99025885da842b2bb7b3cff8597f
SSDEEP

786432:q5rngpqNgncFFuOYTlTUP1eyThCFoJiSGY3y:qhgpggncniTl4YQhCFoJi23y

Score

7^/10

defense_evasion privilege_escalation

Malware Config

Targets

- Target
  
  release_ZYEPDenPwGhK14H.rar
- Size
  
  29.4MB
- MD5
  
  f5feb34e2a5c5f98d99bf419c3bf7095
- SHA1
  
  fe5164865b215081ab080eabbceb3ca7684a19f4
- SHA256
  
  596db0b26451c60e2e618dd98f126e3932e238baa0432867203f83df27debd03
- SHA512
  
  4d30fd23e77355ece63f20fd83b22b5f76bea7097e6f8ba9c18528b2abe98706a48aeb53dfd7b2aa1dcd8b0c4294b2bc4a2c99025885da842b2bb7b3cff8597f
- SSDEEP
  
  786432:q5rngpqNgncFFuOYTlTUP1eyThCFoJiSGY3y:qhgpggncniTl4YQhCFoJi23y
Score

7^/10

defense_evasion privilege_escalation
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  ce-lib64.dll
- Size
  
  2.7MB
- MD5
  
  613f165469e6fdfeedfbcac79296906e
- SHA1
  
  f90782144ecd3681c76a3e986863240d4e17c215
- SHA256
  
  498de4f8bd87cbaf68344742f76e08dd241824148fb25fef8835ef069e56f804
- SHA512
  
  3523a3a351fd8f3a49b474dfb6530d8ac77eebdb93eb3711c6beff50aae35e9c0ebd3fd525db10f9fe9707752c87b94134a2ff4b7079149664f0628ef4991fc2
- SSDEEP
  
  49152:gSBaMAHsRvK8BsF4G+WcXP8qN2WSkZeMPnvwPD6D3uz:0+RFfG+rB8ws+Y
Score

5^/10
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  r7flexcrack.exe
- Size
  
  34.8MB
- MD5
  
  3c1a75b28e979cf502b92931c1673ee9
- SHA1
  
  7f7b0e1baad3278325ae9ac873c7ed656223275c
- SHA256
  
  54f1b768ab994c06d7e2fe286b828d725e47759e4251c4b488eaa6b6ac710e5b
- SHA512
  
  e283606b50606586dd3a0a87240dd34a1738f0ea39a64a8f33aad14f292eb961204024ad7160fc5bfdf158a05a25cad6c205b005417549addf2e890ac9590af9
- SSDEEP
  
  786432:uckh+w+C/tpgyVjaLYcs9dm9p22awtnKNeU9i:Z6kS7HmrvasnKMUE
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5 behavioral6
- Target
  
  r7flexpatcher.exe
- Size
  
  41KB
- MD5
  
  211679d0bf22b11671c9c8278072400f
- SHA1
  
  46767069ff081ae73fda2217a63b7b4f0c91e64a
- SHA256
  
  56c6f8cabe41895e7793fa4bd9936ea424e2e63459571f717a8d66cb808cdd96
- SHA512
  
  8e16bc0e1153996e56704ffae2c611ee43aa591fdcdad0c5bbca41cda41b19fe3c0e4ea720a19fe6bca6545c32622d9eabf9d618f96f2601e74d6e916cd3fa48
- SSDEEP
  
  768:eKk1kCV2sBbH4vVuLG544uB/RUNeM9bKqpmzCHNV:ulWw+44uB69bhmAV
Score

7^/10

defense_evasion privilege_escalation
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

Create Process with Token

Defense Evasion

Access Token Manipulation

Create Process with Token

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasionprivilege_escalation

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

defense_evasionprivilege_escalation

behavioral8

defense_evasionprivilege_escalation