General

  • Target

    Nursultan.rar

  • Size

    7.6MB

  • Sample

    241212-wjz3ystphr

  • MD5

    a8ec4989c64da9c63e8825c78023e336

  • SHA1

    a8e2b32cba485a531ae35dce674a79c15ae92369

  • SHA256

    6f82cc68a2096433ec78add9d6fc07d780917c2e3c0b55625d3c9c59af59ba37

  • SHA512

    2b6024fa0850602e0e8b78de621620d745bb058ab8bc422acdcfc6d5c230fe23f86c27c461ae3f97b943127edaa7f75c59aa0e9af825dac5bcc3754aaf13454d

  • SSDEEP

    196608:FRSH5i/nNrtRJlCLRrTIVpdwyzXceQpUUKuYgA+QHFmQddb/+Td6XrW:WA/nNnfC1r03dz4pseA7lmPdiC

Malware Config

Targets

    • Target

      Nursultan.exe

    • Size

      16.0MB

    • MD5

      20f764cc0f01cd53424877906a3a46ab

    • SHA1

      986b58ef559b897a1eb71a29d5cb70f5fa627f09

    • SHA256

      96c677a9d2653f5ae946dcd9fdd115a06dffd97b17426dc4cd320b8295ac412a

    • SHA512

      b8690d8c4a6de98f0add396b3c1d6851b1b9320c8fe65c1d7986c76961749232c0c7b3feacfccc54393e4ec5679c6ef1c99fb35b3bf2226114404b442fc545a3

    • SSDEEP

      196608:d90uJReNTfm/pf+xk4d6XCLRpmrbW3jmrV:pSy/pWu4cyLRpmrbmyrV

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks