General
-
Target
TotallyNotAimmyV3.exe
-
Size
6.9MB
-
Sample
241221-wyf9dswjax
-
MD5
92f4c5f91c765fbe48a22d370b59385f
-
SHA1
9ad58a29b270d9a1644657efdfa6e9da0ced7395
-
SHA256
ef47e1e2bafcd60e0d7cd52ead4758c3f25146b9098b2abb03e0276ab403af43
-
SHA512
b363b7352683ae3b4f2e2db87cb9f9f21a21f128a2265841e1b3520344a34cf54bcb6a94f32bc0a006f2a502ac117edf01265a0453dec1f720cafd8e0d53e932
-
SSDEEP
98304:snAkwN+MdA5wqSnWNrrd8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DovaDJ1n67:sAV1v/B6ylnlPzf+JiJCsmFMvln6hqgR
Malware Config
Targets
-
-
Target
TotallyNotAimmyV3.exe
-
Size
6.9MB
-
MD5
92f4c5f91c765fbe48a22d370b59385f
-
SHA1
9ad58a29b270d9a1644657efdfa6e9da0ced7395
-
SHA256
ef47e1e2bafcd60e0d7cd52ead4758c3f25146b9098b2abb03e0276ab403af43
-
SHA512
b363b7352683ae3b4f2e2db87cb9f9f21a21f128a2265841e1b3520344a34cf54bcb6a94f32bc0a006f2a502ac117edf01265a0453dec1f720cafd8e0d53e932
-
SSDEEP
98304:snAkwN+MdA5wqSnWNrrd8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DovaDJ1n67:sAV1v/B6ylnlPzf+JiJCsmFMvln6hqgR
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1