Overview

overview

8

Static

static

3

Created by...et.url

windows10-2004-x64

1

Official m...et.url

windows10-2004-x64

1

macOS Tran....0.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    macOS Transformation Pack 5.0.zip

  • Size

    186.9MB

  • Sample

    240701-x8zzxsyhlr

  • MD5

    0d299d581c0a274d15ed7d637eacaa03

  • SHA1

    dca1a0364b26b4ebfe89946a3d348556d0736161

  • SHA256

    44c6d34c298f77d3914d42004275c5cfec9ea44857d0adbd6d3bd4da2dd838ee

  • SHA512

    8e2ea2c2a668482ba8f62fd2dd43d602ac43cf2fb0d8be6f450f9633007d9ea8f4e04d4e4675354672a0c1719ad5634ed899d765ca5b7cf2c4f62042f36921d9

  • SSDEEP

    3145728:HGKqW1I6hr/gD0VqMz9WBd965gJyOcU8V5eL31m6Wa5Iiyc6HolC66Q8Wisw1to:HGKqkI84svz8B/6gyO/8V5epDW2yc6HA

Score
8/10
adwaredefense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      Created by WindowsXLive.net.URL

    • Size

      130B

    • MD5

      3e032863cbd62b376db01ec38410e270

    • SHA1

      34b5122409153f4d931aeb4288c17cec836f4179

    • SHA256

      d5de060178a29689821b3e4df9572ea7160f067007325f877221db63ec70c4c4

    • SHA512

      22a97d55ee72346d297ec18e8d9d23aeea602b66fbe0b679b82442ed3c0e15d8d6d1734d21c2dc797def5608ea564dd6c4f65b3f97f5cc8a1a9f40785e38e1a6

    Score
    1/10
    behavioral1

    • Target

      Official mirror ThemeMyPC.net.URL

    • Size

      124B

    • MD5

      6561c2246cae78874ddb8cd01016a47e

    • SHA1

      ee6511a61244fc193ca9c567e426ecff8c62f77b

    • SHA256

      f861e9eeef5f0c97d100d0771132f85ded0c6a28ced5e1a5096a59dc981823c7

    • SHA512

      d49e896d3ebd678376dd2212f3e5ce43e30058d171060b4730c68b4058312408bee0bcfec15158b787e5d0a74fa847374be5edb8ba5e0eadcd89b0e05b4f55f7

    Score
    1/10
    behavioral2

    • Target

      macOS Transformation Pack 5.0.exe

    • Size

      187.8MB

    • MD5

      ba5a81bd7b82b3abcc0d9735e480f9e5

    • SHA1

      fdaa6fbe4cb3b752cacb5af17c8ee9c30584cd91

    • SHA256

      8feb8e32ced641e2b1c2d83eda71ec82b7cea57cbcd37a474533fe19e94d4389

    • SHA512

      695ce1907ac002888fd4551364823aad0e1b0a5a934c7f68b03e42f27f8140bb17fb18777314d4196f2b57e1a15a6f6fc0678f1f3aa4801f56ea6adc6e061f22

    • SSDEEP

      3145728:dasbziO5XorIO+3BRplcdzPE6vhmA098yjkKsgTde0QyiczISK/vYi7Gx/POCVez:wsb7o7+xRjczPE6JnKAc0/QLx/1u3r

    Score
    8/10
    adwaredefense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationspywarestealer

    • Creates new service(s)

      persistenceexecution

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Safe Mode Boot

1
T1562.009

File and Directory Permissions Modification

1
T1222

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks