General

  • Target

    d2wDTIm.exe

  • Size

    7.5MB

  • Sample

    250119-yc45fasncs

  • MD5

    abd4f1e520621cf1deceb5a651481486

  • SHA1

    2f846c3de7050c367bade25e0ba20d6ebe1369f9

  • SHA256

    fd7baa7e1e9628cec52b0137fc21cfc2f80d5a61787020c434fb7e6a89ddefca

  • SHA512

    8f414601bf9a18ce106f147bb5676a5fe2c2a1c110ccd0a76c4953e9de78c05738652fe6e1a717f0550e01aa9b8886296c38df86360fff8666688a17eee7f9d9

  • SSDEEP

    196608:ndSdzr2MwlirTB4p5jA60eyWpzaYJ2ge6fwbthSjnE5su:nOn2xiafjV07WgYW64F5

Malware Config

Targets

    • Target

      d2wDTIm.exe

    • Size

      7.5MB

    • MD5

      abd4f1e520621cf1deceb5a651481486

    • SHA1

      2f846c3de7050c367bade25e0ba20d6ebe1369f9

    • SHA256

      fd7baa7e1e9628cec52b0137fc21cfc2f80d5a61787020c434fb7e6a89ddefca

    • SHA512

      8f414601bf9a18ce106f147bb5676a5fe2c2a1c110ccd0a76c4953e9de78c05738652fe6e1a717f0550e01aa9b8886296c38df86360fff8666688a17eee7f9d9

    • SSDEEP

      196608:ndSdzr2MwlirTB4p5jA60eyWpzaYJ2ge6fwbthSjnE5su:nOn2xiafjV07WgYW64F5

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks