Resubmissions
23/03/2025, 19:10
250323-xvmsfa11gt 1023/03/2025, 18:49
250323-xglyzsvn17 823/03/2025, 18:23
250323-w1gb6str12 823/03/2025, 18:13
250323-wtvk8azwcy 823/03/2025, 18:01
250323-wlzvzatlz3 1023/03/2025, 17:38
250323-v722saywcy 1023/03/2025, 17:35
250323-v53kjayve1 1023/03/2025, 17:27
250323-v1pswasnw2 1023/03/2025, 15:05
250323-sf8n5sylt7 823/03/2025, 14:52
250323-r8x8faxrx9 8General
-
Target
EICAR.txt
-
Size
68B
-
Sample
250323-v1pswasnw2
-
MD5
44d88612fea8a8f36de82e1278abb02f
-
SHA1
3395856ce81f2b7382dee72602f798b642f14140
-
SHA256
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
-
SHA512
cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab
Malware Config
Targets
-
-
Target
EICAR.txt
-
Size
68B
-
MD5
44d88612fea8a8f36de82e1278abb02f
-
SHA1
3395856ce81f2b7382dee72602f798b642f14140
-
SHA256
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
-
SHA512
cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Browser Extensions
1Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
10Subvert Trust Controls
3Install Root Certificate
1SIP and Trust Provider Hijacking
2