General
-
Target
SWASetup (1).zip
-
Size
6KB
-
Sample
250105-yepsjatpa1
-
MD5
05d6e0ec3f7e88b064199b33200ab2d9
-
SHA1
5604a625b21257e299c38902ffa4e17163f5660e
-
SHA256
dc8369f12cb68972e237e217c0edc6ca710eecf0131a4948ec43366da1c7e6ff
-
SHA512
7be5c1a2a45bbefa5ff8d4fd85f513b6255a85a12b61e8c0459b0f5ed0f908e722e689d69c6ac1d6735582cdaf7d111b98351628b722bf08ab87050efa48e28f
-
SSDEEP
192:qZlvMDOL+ELqj3kyydCMsNu8V7tN9PBd7mGWRj:OvMDOL+EuY3Cz9hP3aZ
Malware Config
Targets
-
-
Target
SWASetup.exe
-
Size
14KB
-
MD5
cd1436d99f11bc0382d6776f23c74831
-
SHA1
accc8e49ba85581de25288b9a461ae14b5554d91
-
SHA256
6345a13c1eab921686d7ef594b6ac35e6e65839ac297795031014fbd9717508a
-
SHA512
00374fa8dce13ce885714ab23b2d9111a8bb2194c17b5ccc6bd859aead6df36398fc2abed9d2840333e8a8dfa9f5da112e3a67a1141465300caad5b12c005493
-
SSDEEP
192:jgYX92TJJTcolI9FVigA6KtuY5AlF0o4Awh/b3B0OZnnWYlA8W2FCT1vT:Ls/aKu0AlFqAwFzSSWMQRt
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Detected potential entity reuse from brand STEAM.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1