General
-
Target
VOIPDialer_V1.4.exe
-
Size
136.8MB
-
Sample
241226-zq3n7szmdl
-
MD5
200290ea417a6029dfffda2b986924c1
-
SHA1
ffd7283e5fd1fe28ccfd1f96576bf02f70cffd35
-
SHA256
4df7629d0312adc2d3054816b009adc45a5a4cf15ef180018e899a5552ccaad2
-
SHA512
28b2484e28f0d861f927842c35c153806e0edfec4a6c24f0a83e9bc7cd7c62d9236e4fe84ecf822669ec34813aab7f77927c88ee03e5a4fd86c298edac007634
-
SSDEEP
3145728:hdZdf5GbSRVc6f2K2J8wRbc/HmDJBfriLbZQb4Poz4O8DPIl8+87kbuYhO/7:h5kiVT2b0qJBfe+4Qz4O8klpvhO/7
Malware Config
Targets
-
-
Target
VOIPDialer_V1.4.exe
-
Size
136.8MB
-
MD5
200290ea417a6029dfffda2b986924c1
-
SHA1
ffd7283e5fd1fe28ccfd1f96576bf02f70cffd35
-
SHA256
4df7629d0312adc2d3054816b009adc45a5a4cf15ef180018e899a5552ccaad2
-
SHA512
28b2484e28f0d861f927842c35c153806e0edfec4a6c24f0a83e9bc7cd7c62d9236e4fe84ecf822669ec34813aab7f77927c88ee03e5a4fd86c298edac007634
-
SSDEEP
3145728:hdZdf5GbSRVc6f2K2J8wRbc/HmDJBfriLbZQb4Poz4O8DPIl8+87kbuYhO/7:h5kiVT2b0qJBfe+4Qz4O8klpvhO/7
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Stops running service(s)
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
2System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3