General

  • Target

    matrix.rar

  • Size

    13.4MB

  • Sample

    241212-v25wgs1nc1

  • MD5

    9a9e92646bf8690e143e1a2eb22ad5a1

  • SHA1

    a3f3733d90017f7908bb49fa84be73d591616c9f

  • SHA256

    9f29db0fcb7ef410fec1e32cfbb522f067db752372f8e99ef241e0d28e3b53b5

  • SHA512

    1c88d208d659c5cd06c27b59e76ddc484394480dd4d052a515522dd33dcf37e2b1ce72995eb3d2db7f851c73a7a5eb0a2fa614b1a030cb3ade5465ce5b5a682f

  • SSDEEP

    393216:IoBNQ8l6+Edg2sYXQpPXkoBNQ8l6+Edg2sYXQpPXK:7NQAxvNQAxK

Malware Config

Targets

    • Target

      newuimatrix.exe

    • Size

      6.8MB

    • MD5

      1f0ef7065d5324a06fb79a1a66f46998

    • SHA1

      1b9199f4f92072cfd017b83080414f7e094fe61e

    • SHA256

      ee2fc679b80508debc11666306c0b11eb38cdb437ae93aa22cc67f8be014b709

    • SHA512

      5c0a160d0c262b88a9cbe9d820f38831715cc4329aa7c47c77792029d14f3e61ef13dbfa5b485824e5067390143906db11600433dcc050f54d81fd7b3b64358e

    • SSDEEP

      196608:1rWEV1pB6ylnlPzf+JiJCsmFMvNn6hVvTA:DBRlnlPSa7mmvN+rA

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      olduimatrix.exe

    • Size

      6.8MB

    • MD5

      1f0ef7065d5324a06fb79a1a66f46998

    • SHA1

      1b9199f4f92072cfd017b83080414f7e094fe61e

    • SHA256

      ee2fc679b80508debc11666306c0b11eb38cdb437ae93aa22cc67f8be014b709

    • SHA512

      5c0a160d0c262b88a9cbe9d820f38831715cc4329aa7c47c77792029d14f3e61ef13dbfa5b485824e5067390143906db11600433dcc050f54d81fd7b3b64358e

    • SSDEEP

      196608:1rWEV1pB6ylnlPzf+JiJCsmFMvNn6hVvTA:DBRlnlPSa7mmvN+rA

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks