Resubmissions

06-12-2024 01:57

241206-cdq4batqfw 10

06-12-2024 01:53

241206-cazlaazlhl 10

General

  • Target

    Condo Generator.exe

  • Size

    15.0MB

  • Sample

    241206-cazlaazlhl

  • MD5

    1a3b0d3ffaed2d32a8f49fdea0e98843

  • SHA1

    7a6400763ebe091bef1e4ace1ee4037b8271a394

  • SHA256

    7ea9683e801974558e68504a1086cecd21797ae9a671e0d701ced7c36f3ba265

  • SHA512

    098dd7418996e1e6c23a846fc08397864a6222594015c1ea7cf0fe41bc93c8564b3ce992aecb13663c6044c056ab8ffb7aacb9da9295ea98b9c812d2353b1eeb

  • SSDEEP

    196608:9WHYdAlwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jj:HIHziK1piXLGVE4Ue0VJv

Malware Config

Targets

    • Target

      Condo Generator.exe

    • Size

      15.0MB

    • MD5

      1a3b0d3ffaed2d32a8f49fdea0e98843

    • SHA1

      7a6400763ebe091bef1e4ace1ee4037b8271a394

    • SHA256

      7ea9683e801974558e68504a1086cecd21797ae9a671e0d701ced7c36f3ba265

    • SHA512

      098dd7418996e1e6c23a846fc08397864a6222594015c1ea7cf0fe41bc93c8564b3ce992aecb13663c6044c056ab8ffb7aacb9da9295ea98b9c812d2353b1eeb

    • SSDEEP

      196608:9WHYdAlwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jj:HIHziK1piXLGVE4Ue0VJv

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks