General
-
Target
LDPlayer9_ens_1111_ld.exe
-
Size
3.3MB
-
Sample
240701-ssvytaxgle
-
MD5
86fca06e090f8017dd323ccc516a7ed9
-
SHA1
720fd4f4d0ac09308d19d229c8fbfde71313ce7d
-
SHA256
5516ce5826c34dc1d89b1373f09a5eb490cf1dab55f98da02bdc53a73b772874
-
SHA512
05f6ea47c48a2da3304a2d14a741403200ccf47e1f1b7155a2eba3fe694e4f42b8a327010fbc20b720ba06e4f84ee96b39d885989ae7cd20cc459261cd02b34b
-
SSDEEP
49152:SLgmKyhrX/3MwVn1pHtOUYqP3CFOrtG/JR9sXafgkDFMVR9C1UhPJXMK701hOHZ4:IgmKEX/3MS1t0xOoGBiCV2H1l
Malware Config
Targets
-
-
Target
LDPlayer9_ens_1111_ld.exe
-
Size
3.3MB
-
MD5
86fca06e090f8017dd323ccc516a7ed9
-
SHA1
720fd4f4d0ac09308d19d229c8fbfde71313ce7d
-
SHA256
5516ce5826c34dc1d89b1373f09a5eb490cf1dab55f98da02bdc53a73b772874
-
SHA512
05f6ea47c48a2da3304a2d14a741403200ccf47e1f1b7155a2eba3fe694e4f42b8a327010fbc20b720ba06e4f84ee96b39d885989ae7cd20cc459261cd02b34b
-
SSDEEP
49152:SLgmKyhrX/3MwVn1pHtOUYqP3CFOrtG/JR9sXafgkDFMVR9C1UhPJXMK701hOHZ4:IgmKEX/3MS1t0xOoGBiCV2H1l
Score10/10-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Possible privilege escalation attempt
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies powershell logging option
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Subvert Trust Controls
2SIP and Trust Provider Hijacking
1Install Root Certificate
1File and Directory Permissions Modification
1Modify Registry
4