General

  • Target

    reboot_launcher-10.0.5+10.0.5-windows-setup.exe

  • Size

    71.8MB

  • Sample

    250111-hl31qszjg1

  • MD5

    eadc575824ee1bed4e20ed1440c2e7b7

  • SHA1

    436ca1e785a660123bd6322302f1acafdc720406

  • SHA256

    fdff6a2955b48375c9ce7c50615ebcf7c2862adf1fccf60616464db82ad90d14

  • SHA512

    2e784a912b3673f9945cfddfb21176b7d81e22786f7e0ab7fbd567bd63bed8febb70da3197bd5d12586a63c0b89790c0fb01319ba3f22158a08930aa67a079af

  • SSDEEP

    1572864:XC/TRo8Ai0HXF26JBFgplEdNu4/6hwH50tzAp//sbyj78huWIfI8FC:XC/TRhAzHXtFgpKPu4iZRa//sbyv8wf2

Malware Config

Targets

    • Target

      reboot_launcher-10.0.5+10.0.5-windows-setup.exe

    • Size

      71.8MB

    • MD5

      eadc575824ee1bed4e20ed1440c2e7b7

    • SHA1

      436ca1e785a660123bd6322302f1acafdc720406

    • SHA256

      fdff6a2955b48375c9ce7c50615ebcf7c2862adf1fccf60616464db82ad90d14

    • SHA512

      2e784a912b3673f9945cfddfb21176b7d81e22786f7e0ab7fbd567bd63bed8febb70da3197bd5d12586a63c0b89790c0fb01319ba3f22158a08930aa67a079af

    • SSDEEP

      1572864:XC/TRo8Ai0HXF26JBFgplEdNu4/6hwH50tzAp//sbyj78huWIfI8FC:XC/TRhAzHXtFgpKPu4iZRa//sbyv8wf2

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks