General
-
Target
main [HAZARDOUS].exe
-
Size
22.4MB
-
Sample
250328-w64pnaztfz
-
MD5
72ec7d25b5a602c6f978e06234ad52fc
-
SHA1
1c35b30db8e26a6d391531779d722259ce6463d1
-
SHA256
138e58910298ddc75eac776657171d68632475b398fcd0464652c529e6d969b1
-
SHA512
f6915eb95e9c84afda046eba0d12f69a91621bb8a8d80795b0a3664d35cd91b54c5db9920cf5ebc9a49081d89ce9ef94142c1da7cc561c86af0f17061e72a4ef
-
SSDEEP
393216:g2P+TWB2KGySA6x2o7eWECZ10Kj9kfM2KRvhfyhUFkor/RB3KDp2:FP+D2o7eWEQ0c9cbKRvhqhkko11KN
Malware Config
Targets
-
-
Target
main [HAZARDOUS].exe
-
Size
22.4MB
-
MD5
72ec7d25b5a602c6f978e06234ad52fc
-
SHA1
1c35b30db8e26a6d391531779d722259ce6463d1
-
SHA256
138e58910298ddc75eac776657171d68632475b398fcd0464652c529e6d969b1
-
SHA512
f6915eb95e9c84afda046eba0d12f69a91621bb8a8d80795b0a3664d35cd91b54c5db9920cf5ebc9a49081d89ce9ef94142c1da7cc561c86af0f17061e72a4ef
-
SSDEEP
393216:g2P+TWB2KGySA6x2o7eWECZ10Kj9kfM2KRvhfyhUFkor/RB3KDp2:FP+D2o7eWEQ0c9cbKRvhqhkko11KN
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
4System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1