General
-
Target
Built.exe
-
Size
24.5MB
-
Sample
250324-y75pfsvzfz
-
MD5
d412bfe36adc679bac0330cde8f8074e
-
SHA1
7ab3893f2a090d5015f8f380fb1396287e516929
-
SHA256
26fd220fd57593ed9e488d22ef576ba6d4abd369b2db78dbd7dcafda12312b3a
-
SHA512
02231ef8f5251b370b87f8292142422a2d25106f6b3918918281df42796f7eaf85dcc91e447fccb4386de3527dacdb900575bf848a864280944ee0dface4ef71
-
SSDEEP
393216:3pXothO8Ik3f7EKMAYtl1Uoy5nwIJtEmYQm6b6Ni/2AAS8hhKREPy/pWu4kRimrv:sY08htl1Dinw2XeNi/erTy/pWWf
Malware Config
Targets
-
-
Target
Built.exe
-
Size
24.5MB
-
MD5
d412bfe36adc679bac0330cde8f8074e
-
SHA1
7ab3893f2a090d5015f8f380fb1396287e516929
-
SHA256
26fd220fd57593ed9e488d22ef576ba6d4abd369b2db78dbd7dcafda12312b3a
-
SHA512
02231ef8f5251b370b87f8292142422a2d25106f6b3918918281df42796f7eaf85dcc91e447fccb4386de3527dacdb900575bf848a864280944ee0dface4ef71
-
SSDEEP
393216:3pXothO8Ik3f7EKMAYtl1Uoy5nwIJtEmYQm6b6Ni/2AAS8hhKREPy/pWu4kRimrv:sY08htl1Dinw2XeNi/erTy/pWWf
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-