Overview

overview

10

Static

static

5

xyz4568/dControl.exe

windows10-2004-x64

8

xyz4568/dControl.exe

windows10-ltsc 2021-x64

10

xyz4568/dControl.exe

windows11-21h2-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xyz4568.rar

  • Size

    446KB

  • Sample

    250209-chp2ta1qcw

  • MD5

    7209e82cdcd08153f44154f6d3410df0

  • SHA1

    1efbdd58981ab71b3f2ba21ce66e42b927c5e118

  • SHA256

    ee15fc4641362985d0214b9247d65eebc2203cef38ae9a85b2c3eab3f9f6d45a

  • SHA512

    5e79997581ea4e88c294f83289cff47e03abe462bd310b5ea5e59a487fab1e5cae881d38091f024804089d3a4d39e0294ac9c6c8588c5412a4b5a2ea684e3c2b

  • SSDEEP

    6144:fMT0R8QgeWLa+eVi0pIt28iPKB+Rusx8ok15lR0UY448EPQUJS+Yui1RUcRFZoT2:fn8yWSMa5vPrRh8D1v3Yt8iUGcN4cg8Z

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojanupx

Malware Config

Targets

    • Target

      xyz4568/dControl.exe

    • Size

      447KB

    • MD5

      58008524a6473bdf86c1040a9a9e39c3

    • SHA1

      cb704d2e8df80fd3500a5b817966dc262d80ddb8

    • SHA256

      1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

    • SHA512

      8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

    • SSDEEP

      6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

    Score
    10/10
    discoveryupxdefense_evasionevasionexecutionpersistenceprivilege_escalationtrojan

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Modifies security service

      defense_evasion

    • Windows security bypass

      defense_evasiontrojan

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Windows security modification

      defense_evasiontrojan

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion

    • Modifies Security services

      Modifies the startup behavior of a security service.

      defense_evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Impair Defenses

5
T1562

Disable or Modify Tools

4
T1562.001

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

8
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks