General

  • Target

    Insta乗っ取り.exe

  • Size

    12.8MB

  • Sample

    241126-pr8lqs1mh1

  • MD5

    e21fd8ef888e05f308e2c46d1733a0ef

  • SHA1

    38359f8b6e7c11a420fd25dfdf38bc19c5582b50

  • SHA256

    66ad55b3a7b62bc106828279bef2c5281c6533d9ac03be91f51a12a84586969f

  • SHA512

    e64558b77fb9278e9b357c1d11044a2f1e0068215e7a6637644e56b4c8acc39797aecc7aa6bfc42b10e18b5c4a81d6bd2c4ee924467d6ee661049aa1fae457cb

  • SSDEEP

    393216:gJFKdK/Rbqmv86m+1YqliAL/i1KpcUVrlXEZxa:gJ7Rm286nuWiALq1KpPHUZxa

Malware Config

Targets

    • Target

      Insta乗っ取り.exe

    • Size

      12.8MB

    • MD5

      e21fd8ef888e05f308e2c46d1733a0ef

    • SHA1

      38359f8b6e7c11a420fd25dfdf38bc19c5582b50

    • SHA256

      66ad55b3a7b62bc106828279bef2c5281c6533d9ac03be91f51a12a84586969f

    • SHA512

      e64558b77fb9278e9b357c1d11044a2f1e0068215e7a6637644e56b4c8acc39797aecc7aa6bfc42b10e18b5c4a81d6bd2c4ee924467d6ee661049aa1fae457cb

    • SSDEEP

      393216:gJFKdK/Rbqmv86m+1YqliAL/i1KpcUVrlXEZxa:gJ7Rm286nuWiALq1KpPHUZxa

    • Modifies WinLogon for persistence

    • UAC bypass

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Possible privilege escalation attempt

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks