Overview

overview

10

Static

static

10

Court Proj...IO.exe

windows10-ltsc 2021-x64

7

Court Proj...ct.exe

windows10-ltsc 2021-x64

9

Court Proj...fo.exe

windows10-ltsc 2021-x64

3

Court Proj...ing.py

windows10-ltsc 2021-x64

3

Court Proj...ker.py

windows10-ltsc 2021-x64

3

Court Proj...mer.py

windows10-ltsc 2021-x64

3

Court Proj...up.exe

windows10-ltsc 2021-x64

7

Court Proj...one.py

windows10-ltsc 2021-x64

3

Court Proj...pic.py

windows10-ltsc 2021-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    240601-2d43lsgh7s_pw_infected.zip

  • Size

    89.8MB

  • Sample

    250202-sdb76awpdy

  • MD5

    869705474f188942406bd7f319564582

  • SHA1

    4b3306b4fef90f3b714a5b4a936a75ee71ba0161

  • SHA256

    a535b382b430cf77954bca0c0ee72cfb7ce60b29026d4394d7764e08e640ad62

  • SHA512

    d933e59b7646c64d1df450762e7040b34a1749a3b06b40b7e108dffac5d41161c6af524b326105184073d03deda8ee8d67a4876dd39a47040520f320dfb956ee

  • SSDEEP

    1572864:slGiBNZCeYYATg6TygXGBjOoWtPuMmBiCJU0BGO9BYLEP5Ry7Al8p3TsIDRLwy6y:kVBNQ8M1nWgYsCJU0B39mL0+p3Tls4NR

Score
10/10
pysilondefense_evasiondiscoveryexecutionpersistencepyinstallerupx

Malware Config

Targets

    • Target

      Court Project V1.1/AIO.exe

    • Size

      17.7MB

    • MD5

      401a1cbd5e2b10c3e4f167dc1f7bb4f1

    • SHA1

      ad74dfb0cb89794f0f13a21f35644ad51eab6ba7

    • SHA256

      22e7c140c849ad87f0d9f9624374045712c8a2f4c38befa85a92330fe2382316

    • SHA512

      df58e49d75dfe0b46057486d1117c422ff77d4b64d5bf4a14e0b9772600091b19d743793fdd7fc2e3031dc72cb6f50e0f1077cae3040a1dec9f5fe8df3464e8d

    • SSDEEP

      393216:kMr/sMzD1BTFAj8ItCGsm37tPIHHlWlf3TD:kWk0pBTFADzOnlM

    Score
    7/10
    defense_evasiondiscoverypyinstallerupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      Court Project V1.1/Court Project.bat

    • Size

      75.3MB

    • MD5

      237a78a3b4b36d749f0e46d26dbc965b

    • SHA1

      f73af65ad456feb2bf5159161ff4b9ace5202598

    • SHA256

      26cf8403cb6124796a98eb4644b3d75569bea2ba156456d0dd1b0b04ad3b3572

    • SHA512

      7223a6692a131c47c7aade3a0ddd7a1fb3dbb420e824921b508565d7363185229d419e3df9e4dd3abf96200945ad076c592712fecf68f47b7e7d9105c59eac89

    • SSDEEP

      1572864:ivFUQpjkuwSk8IpG7V+VPhqS0E7WZRjRH2PRQvS6f97PyhonB08yfXWulZvFVN:ivFUqA7SkB05awSgZRdW2S6f9jnB08Qd

    Score
    9/10
    defense_evasiondiscoveryexecutionpersistenceupx

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

    • Target

      Court Project V1.1/Doxinfo.exe

    • Size

      90KB

    • MD5

      078639fa0eda91454c03374bb90d938f

    • SHA1

      a10c694f38759187098c57d63c0ae925322cdfa9

    • SHA256

      cc2028db9daecfc962308f695bca0d46ea2e451984e4762c14dd8c3f3f055bae

    • SHA512

      1f0348ab86e54df0928e99005ce7e9f097eed5a57f1dfad1dae6994725fef194ae7cdbe965f872b446465a566a523f587f01292f8e966fbdcb367227a098360e

    • SSDEEP

      1536:mLdD+0MON593j/NL0R21zt2kxi9dBkLpwWoNVzqkjaOT:mLdSro1xL221ztidmWr1n

    Score
    3/10
    discovery
    behavioral3

    • Target

      Court Project V1.1/Doxing.py

    • Size

      4KB

    • MD5

      757f7434780f6f1f93845702ff7725d8

    • SHA1

      a5bdef426ee67c718e904c7ffa28c43b4e863207

    • SHA256

      40628d75875a6a3c0f64180b9d9d717662c43f736aeb698477b239faa7561731

    • SHA512

      14d633d3d23ee786b68e8b06b6c4ae0aa6fe639509093f56481c81a58649494011d5f8cf6f864bb3df8217d690b0a509da0c4e0e577665dddc6a6931532dcb25

    • SSDEEP

      48:kCBrU1pXKzr4waWWgYxUHNCKVYS/y9JziuVYokF4Nm:kCtpv4waWz7H4yYyy9xNVjkFF

    Score
    3/10
    behavioral4

    • Target

      Court Project V1.1/Doxtracker.py

    • Size

      11KB

    • MD5

      e7dba9b015c58535008115046bd6fa0b

    • SHA1

      d9f50988cb0340ca5adcf1c79aad1caa1d29cfe9

    • SHA256

      8828ec1c99732a088ceceb9b3cdc6e63d96971e560f5afa65387a2002c9b1577

    • SHA512

      255de130f45b9a0d27fa4aafaa9e436a39d3f8cef9b49201eb016385244b4fbd43b2180d610a80c8e5ca79fea4eeef3210308b10304aa85b27c91db6439617bb

    • SSDEEP

      192:tVF6HAIn/8X0N8TQEXQGKm8ro66EaeTKv/r6TEVxtGvob3x6YEapTVrFHCEAyIgv:tVPg0X0NiQEXQGKm8ro6UqKv/rgEVxt/

    Score
    3/10
    behavioral5

    • Target

      Court Project V1.1/GmailSpammer.py

    • Size

      5KB

    • MD5

      40eac701774d6181f4f28fce96da1c34

    • SHA1

      7adb0497e41b41af1cf683509c9149bbf074e237

    • SHA256

      8b81d375b6d2131d0341a796eedb18f68b6db3a4d1b4134bc239bfcd401d70f2

    • SHA512

      50ce86c4cb9be78917ad951cb2af3f1cdc2cd7d0c105916d91d9556d97962b5acec4163737f55d64f238265100cb6332dca026abeec759fbd7a3a22048e3a160

    • SSDEEP

      96:6JLQjBSmsmsyOb81cxnV1WKV1lBVU7mGb7b6b2OTTIXVViBB7bpHvteoorEkgl+Q:6qj4msmsFzI7mGvW6nWpPopu29U/psUR

    Score
    3/10
    behavioral6

    • Target

      Court Project V1.1/iplookup.exe

    • Size

      2.1MB

    • MD5

      cb4903c1c4f23b021905da634c002f04

    • SHA1

      c2ccf3a1e5037c6e540b94a59e2c367ba8cd9090

    • SHA256

      49945b5eb3f80e6bb9dba81c6c6f643245bb0831ce2f6e5abf4db12ab6709b76

    • SHA512

      7f632331ba7f2fdd3c76f7f158a1cd6e79be796f2dc9f9149b7a071bb77b35fc4f0c6f189a8179eaf4947533513a3f926c879c50c8cf6cb13abdd424113f48fa

    • SSDEEP

      49152:PFkR/VWoA1QfIBoq2Pkbu5Gk6hQW/3f2V1mPzidqz/CIaB2w:NkR/VMCGvj/vYkP9aB

    Score
    7/10
    discovery

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7

    • Target

      Court Project V1.1/phone.py

    • Size

      913B

    • MD5

      0a9939cd780f54b08593509d8efce5aa

    • SHA1

      4a5cb2c39f53a1cf945082acdfe966c5d3ccf2a0

    • SHA256

      879a15ee153cfd588b61bf07fc56e5fd8a6c3f6bcb42230acfee2e22f19ce536

    • SHA512

      592f0152cc85618fcb263105b147b1f7d45a6c037c76801a310fca68658b29504f49efa2d0d4fff89e72fece8b9bba26d1857db2cc4a50b8073602ddcff85674

    Score
    3/10
    behavioral8

    • Target

      Court Project V1.1/reversepic.py

    • Size

      754B

    • MD5

      e0b3a04647ba02465a2f78eb9cb3188b

    • SHA1

      04a5b88356f859912bb77a8eb7b32294f0b8d37c

    • SHA256

      f0729606e3e1f981f2c1453f3658fb6af59d69b5cf80b51d2b12b562680e5fb4

    • SHA512

      4390acd76d3f42a764bf34e95a7f555ea8eaa2fa27d2f4b2c7b28a37345a3f08f3d6a96cc6e1bee272556bb694774a41d70a8ec303b07bee436f785fcaeeba13

    Score
    3/10
    behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

1
T1083

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks