General

  • Target

    Void-Activator.exe

  • Size

    172KB

  • Sample

    250119-znlynswlfn

  • MD5

    02236cbbf666435264240fd1507abb0a

  • SHA1

    5848863915c1345907b8ca081b72d559df06d5d2

  • SHA256

    1f44c45f0cd0d5bdc9c64526285066193687677864f064bcbdb569582ae675a5

  • SHA512

    c216138a21a475ebab33138de1fe2dad90de308237f0e793dfe2958f33f20ba2826a855422ffaf267d3915839af8e65f82df73f526407ac1e784837496152bd1

  • SSDEEP

    3072:4MobR7ezAjLOZvmX1w5GWp1icKAArDZz4N9GhbkrNEk1QXzd:deR7eammgp0yN90QElj

Malware Config

Targets

    • Target

      Void-Activator.exe

    • Size

      172KB

    • MD5

      02236cbbf666435264240fd1507abb0a

    • SHA1

      5848863915c1345907b8ca081b72d559df06d5d2

    • SHA256

      1f44c45f0cd0d5bdc9c64526285066193687677864f064bcbdb569582ae675a5

    • SHA512

      c216138a21a475ebab33138de1fe2dad90de308237f0e793dfe2958f33f20ba2826a855422ffaf267d3915839af8e65f82df73f526407ac1e784837496152bd1

    • SSDEEP

      3072:4MobR7ezAjLOZvmX1w5GWp1icKAArDZz4N9GhbkrNEk1QXzd:deR7eammgp0yN90QElj

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks