General
-
Target
Parental controls intercept.exe
-
Size
116.6MB
-
Sample
250221-m7pgpazpgw
-
MD5
e75ffbf0ba900ddb7a745f4eff3d6e6e
-
SHA1
d3aa2fbdf41ec8ed394de47557787480b4318392
-
SHA256
7bbfccd0c9260ef293b6b68d6b7798a9d90d312c4c5fc542e9e928e27c02f2bd
-
SHA512
2e15f373512e4b976bc8dbc697b7d77f8c20907c4fe55f3f44afdbb05865a3852185302aa38c6c2ad65e03ae70136ca12eedfdab63547b48e7ac1f2c59931278
-
SSDEEP
3145728:2cNveCRZeibJjz9wHE8/2qHO5iCpBnG0iWMstB2Ox+bu4R6:1NvJN1Zw/NHCiWhieBS
Malware Config
Targets
-
-
Target
Parental controls intercept.exe
-
Size
116.6MB
-
MD5
e75ffbf0ba900ddb7a745f4eff3d6e6e
-
SHA1
d3aa2fbdf41ec8ed394de47557787480b4318392
-
SHA256
7bbfccd0c9260ef293b6b68d6b7798a9d90d312c4c5fc542e9e928e27c02f2bd
-
SHA512
2e15f373512e4b976bc8dbc697b7d77f8c20907c4fe55f3f44afdbb05865a3852185302aa38c6c2ad65e03ae70136ca12eedfdab63547b48e7ac1f2c59931278
-
SSDEEP
3145728:2cNveCRZeibJjz9wHE8/2qHO5iCpBnG0iWMstB2Ox+bu4R6:1NvJN1Zw/NHCiWhieBS
Score9/10-
Enumerates VirtualBox DLL files
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
passwords_grabber.pyc
-
Size
8KB
-
MD5
704dced7f7530b19a34a5f7a71c26b10
-
SHA1
608d9647488cfa2b5f84a891028168a973bfcfa9
-
SHA256
1fd284f1e27263bd2a16050c6989933a382c7d196f4c9f247187cc3b3f6ba3ac
-
SHA512
e4a6710abef2c45d631745c91d8135873be06e5b240a61362e341d05ecc1dedf885487a554b648c328a3c5cc17fcf74e6d066b2e3f51379358ba28c2a0f2f39f
-
SSDEEP
192:+CE34EAL/GFf/PomdPO23NsDmqFUhkxNivLI9dRvL:Y4EAL/AfRBO8NsxuOxNn
Score3/10 -
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1