Overview

overview

9

Static

static

3

7aa9df6811...0a.exe

windows7-x64

9

7aa9df6811...0a.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

flashplaye...ax.msi

windows7-x64

9

flashplaye...ax.msi

windows10-2004-x64

9

uninstall_...er.exe

windows7-x64

7

uninstall_...er.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7aa9df6811ccf7f560e7c2f34e26286d5366cbb81b0eed63e3271db785d10f0a.exe

  • Size

    18.2MB

  • Sample

    250318-fzybasylz6

  • MD5

    24b2b8c4ff421568e973ae8a55545228

  • SHA1

    ceaf27cde74356eece0794e862624b3ffc26a382

  • SHA256

    7aa9df6811ccf7f560e7c2f34e26286d5366cbb81b0eed63e3271db785d10f0a

  • SHA512

    afcddf9af0d4a2b4342bedf1dd553408531453befb17cf6e5e51115a6752dfa2d22be893ddea834af370854fd2764cceb4b93b55e4313596fdf6d837dd4fab95

  • SSDEEP

    393216:hWEz3GbPFdRvtTqNXbqFuOVro90+tTFweGrcmW9rS1LR:hWHbPFdRINLWro90Fe7rrkR

Score
9/10
cryptonedefense_evasiondiscoverypackerpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      7aa9df6811ccf7f560e7c2f34e26286d5366cbb81b0eed63e3271db785d10f0a.exe

    • Size

      18.2MB

    • MD5

      24b2b8c4ff421568e973ae8a55545228

    • SHA1

      ceaf27cde74356eece0794e862624b3ffc26a382

    • SHA256

      7aa9df6811ccf7f560e7c2f34e26286d5366cbb81b0eed63e3271db785d10f0a

    • SHA512

      afcddf9af0d4a2b4342bedf1dd553408531453befb17cf6e5e51115a6752dfa2d22be893ddea834af370854fd2764cceb4b93b55e4313596fdf6d837dd4fab95

    • SSDEEP

      393216:hWEz3GbPFdRvtTqNXbqFuOVro90+tTFweGrcmW9rS1LR:hWHbPFdRINLWro90Fe7rrkR

    Score
    9/10
    cryptonedefense_evasiondiscoverypackerpersistenceprivilege_escalationtrojan

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      2ae993a2ffec0c137eb51c8832691bcb

    • SHA1

      98e0b37b7c14890f8a599f35678af5e9435906e1

    • SHA256

      681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

    • SHA512

      2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

    • SSDEEP

      192:vPtkumJX7zB22kGwfy0mtVgkCPOsE1un:k702k5qpdsEQn

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      flashplayer20_0d0_228_winax.msi

    • Size

      18.7MB

    • MD5

      5bbdc07c6e6389b5d2ce86765911c879

    • SHA1

      fa86f107111fc7def35742097bf0aa29c82d7638

    • SHA256

      63cef518bff5b7a8cadd6b2a8c6b738ce3f2fdce231e95db920cbdd75e0f0bc6

    • SHA512

      144b7d73094f19cfec404f1c10d133df43f5b67d39b404ecc2c82598bed55b0622dce13e24cfa39d0cbf552a296f4a132922d23e84130fe26480cf1b0dad0e73

    • SSDEEP

      393216:AJhhV7thwzSIFadpgMKjSCHDqhadHDk2My5FiO93IYP:UnV76SIUMDSADqhaLMy5l3b

    Score
    9/10
    cryptonedefense_evasiondiscoverypackerpersistenceprivilege_escalationtrojan

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral5behavioral6

    • Target

      uninstall_flash_player.exe

    • Size

      810KB

    • MD5

      7c6cf7e123b8f3e34102a591583307cd

    • SHA1

      d5cec0e920df21b31cba9b9643d2ab4d770fd7a4

    • SHA256

      c1598fc99323355298fd14ddab18053e57886b5cf71e2ca8bc41921b0c10f4e9

    • SHA512

      222b3f9c4fd2fbc0da12b4f49c2620d5bbc1f13e493030721862d867106ee56728c5506b55f53ddbee34dd75b090ec56dfe7b8e27767d7cfe8c33c39580c249d

    • SSDEEP

      12288:2Sa/Z2DdYvbpFeaMCRR+aUCg+n+E4M7eWDLSUA3/JEvRR3Bc4OhU6Ex7:2SsZy8iaMIMMg+nXl7LkPkRR94U6Ex7

    Score
    7/10
    defense_evasiondiscoverytrojan
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

3
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Installer Packages

1
T1546.016

Privilege Escalation

Event Triggered Execution

3
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Installer Packages

1
T1546.016

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

2
T1120

Query Registry

2
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.