General

  • Target

    action_2.0.8.9.vir

  • Size

    380KB

  • Sample

    200719-z55hg5mj5j

  • MD5

    11b3ae60c845189bbec476f762476e69

  • SHA1

    28461e56f09813363ccc1fa686e48938afde7ec4

  • SHA256

    b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67

  • SHA512

    4b235b560f0cd9d011017aec3ccbe5636a3c78905ecc401403ec2e01db809bfa3c4ecf973615ded1b54041c7e0a572ac9e6031fd56615a3621d4a9351c40c88e

Malware Config

Targets

    • Target

      action_2.0.8.9.vir

    • Size

      380KB

    • MD5

      11b3ae60c845189bbec476f762476e69

    • SHA1

      28461e56f09813363ccc1fa686e48938afde7ec4

    • SHA256

      b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67

    • SHA512

      4b235b560f0cd9d011017aec3ccbe5636a3c78905ecc401403ec2e01db809bfa3c4ecf973615ded1b54041c7e0a572ac9e6031fd56615a3621d4a9351c40c88e

    • Modifies Windows Defender Real-time Protection settings

    • Executes dropped EXE

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

    • Stops running service(s)

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Impact

Service Stop

1
T1489

Tasks