fc0b303599210c045b879b9d6ccc3328389ccd41e1eabbbdf1edb45d27213be0 | Triage

Sharing

General

Target

Email-Worm.Win32.AjaeV4.zip
Size

143KB
Sample

250328-betedszxgs
MD5

fb3cb8b2c21b7985e46861fec73931fd
SHA1

54390247dddd3fc6c7740f3c3159018fc3db92dd
SHA256

fc0b303599210c045b879b9d6ccc3328389ccd41e1eabbbdf1edb45d27213be0
SHA512

c928175d043a5c1be1d22a419ec22725b1d5c422d41d30ffee5168d043514254cf19c7f84b68959b13e755594e2e7871d3c447627152da803bf29a0f55e367c3
SSDEEP

3072:hwSVzHvumZ4gY7x1wc/Zf4GcHe4aJZm1Dzt68Yw2VBzdrP:hTvumsLZQhCsXH4dr

Score

10^/10

bootkit defense_evasion discovery execution exploit persistence privilege_escalation trojan

Malware Config

Targets

- Target
  
  Email-Worm.Win32.AjaeV4.zip
- Size
  
  143KB
- MD5
  
  fb3cb8b2c21b7985e46861fec73931fd
- SHA1
  
  54390247dddd3fc6c7740f3c3159018fc3db92dd
- SHA256
  
  fc0b303599210c045b879b9d6ccc3328389ccd41e1eabbbdf1edb45d27213be0
- SHA512
  
  c928175d043a5c1be1d22a419ec22725b1d5c422d41d30ffee5168d043514254cf19c7f84b68959b13e755594e2e7871d3c447627152da803bf29a0f55e367c3
- SSDEEP
  
  3072:hwSVzHvumZ4gY7x1wc/Zf4GcHe4aJZm1Dzt68Yw2VBzdrP:hTvumsLZQhCsXH4dr
Score

10^/10

bootkit defense_evasion discovery execution exploit persistence privilege_escalation trojan
- Disables service(s)
  defense_evasion execution
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Disables Task Manager via registry modification
  defense_evasion
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  defense_evasion execution
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Accessibility Features

Pre-OS Boot

Bootkit

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Accessibility Features

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

File and Directory Permissions Modification

Windows File and Directory Permissions Modification

Impair Defenses

Disable or Modify Tools

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

bootkitdefense_evasiondiscoveryexecutionexploitpersistenceprivilege_escalationtrojan