Resubmissions

30-11-2024 20:43

241130-zh3n8svlct 10

30-11-2024 20:43

241130-zhk47avlbt 10

30-11-2024 20:42

241130-zha9zsypak 10

30-11-2024 20:40

241130-zft93syndp 10

General

  • Target

    DumplingV3.exe

  • Size

    8.4MB

  • Sample

    241130-zha9zsypak

  • MD5

    645781795df25e63929fba1416923c04

  • SHA1

    7b9e5aaeb3f9ff0c304cb95188208e797ec8c2a1

  • SHA256

    d05b032c428fb9c0b190d2d00aa5b5b6607d59379a64c49b1d42502d9d067fb8

  • SHA512

    47c618b7b53b333915fd1d05f2e45e72cd4f7b150a82a08dd65f5910010dccc82aefaae15fb363dd5827cdd25b556c783eea8d01d85ae25df6a48acb913d96d8

  • SSDEEP

    196608:+lWYW1wfI9jUCzi4H1qSiXLGVi7DMgpZB/NQ0VMwICEc/jg:6IHziK1piXLGVE4U+0VJ0

Malware Config

Targets

    • Target

      DumplingV3.exe

    • Size

      8.4MB

    • MD5

      645781795df25e63929fba1416923c04

    • SHA1

      7b9e5aaeb3f9ff0c304cb95188208e797ec8c2a1

    • SHA256

      d05b032c428fb9c0b190d2d00aa5b5b6607d59379a64c49b1d42502d9d067fb8

    • SHA512

      47c618b7b53b333915fd1d05f2e45e72cd4f7b150a82a08dd65f5910010dccc82aefaae15fb363dd5827cdd25b556c783eea8d01d85ae25df6a48acb913d96d8

    • SSDEEP

      196608:+lWYW1wfI9jUCzi4H1qSiXLGVi7DMgpZB/NQ0VMwICEc/jg:6IHziK1piXLGVE4U+0VJ0

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks