General
-
Target
ytmp3free.cc_lil-darkie-la-la-underbelly-prod-triplesixdelete-music-video-youtubemp3free.org.mp3
-
Size
1.5MB
-
Sample
240628-wz2lqaybpb
-
MD5
a4a61077b8c3a995405bb1c4ec71bd07
-
SHA1
d634654e44648d952403f10ffd7b947f7312896c
-
SHA256
40aa5358f0d279ebbb2632d3efc3ca315beb94a62329c61a4f6330dc4b1b30b3
-
SHA512
0685989564b01b0423f768b42d50b6ea4287287584158b2fd58912e057dccf02247dfc78d89f6c2f16cd0e638e225c2f997592164ec418e894646a52f35c8b55
-
SSDEEP
24576:4YLjBF00JPBO7lg7cXqp01YcUBxGrUsjv8oSfDjYIXlX40PnbLRthC7jjVNd+EQ3:bMQ2lg7+a01LmDjnXlocbXAVGwuH
Static task
static1
Behavioral task
behavioral1
Sample
ytmp3free.cc_lil-darkie-la-la-underbelly-prod-triplesixdelete-music-video-youtubemp3free.org.mp3
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ytmp3free.cc_lil-darkie-la-la-underbelly-prod-triplesixdelete-music-video-youtubemp3free.org.mp3
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
ytmp3free.cc_lil-darkie-la-la-underbelly-prod-triplesixdelete-music-video-youtubemp3free.org.mp3
-
Size
1.5MB
-
MD5
a4a61077b8c3a995405bb1c4ec71bd07
-
SHA1
d634654e44648d952403f10ffd7b947f7312896c
-
SHA256
40aa5358f0d279ebbb2632d3efc3ca315beb94a62329c61a4f6330dc4b1b30b3
-
SHA512
0685989564b01b0423f768b42d50b6ea4287287584158b2fd58912e057dccf02247dfc78d89f6c2f16cd0e638e225c2f997592164ec418e894646a52f35c8b55
-
SSDEEP
24576:4YLjBF00JPBO7lg7cXqp01YcUBxGrUsjv8oSfDjYIXlX40PnbLRthC7jjVNd+EQ3:bMQ2lg7+a01LmDjnXlocbXAVGwuH
-
Adds autorun key to be loaded by Explorer.exe on startup
-
Modifies WinLogon for persistence
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Active Setup
1Event Triggered Execution
2Netsh Helper DLL
1AppInit DLLs
1Create or Modify System Process
1Windows Service
1Browser Extensions
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Active Setup
1Event Triggered Execution
2Netsh Helper DLL
1AppInit DLLs
1Create or Modify System Process
1Windows Service
1Defense Evasion
Modify Registry
11Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Impair Defenses
1Disable or Modify System Firewall
1Pre-OS Boot
1Bootkit
1