General
-
Target
EZFNDebbuger.exe
-
Size
6.0MB
-
Sample
240706-qc3mlsyelp
-
MD5
54b41e1a53a618cc3d5df651194a7246
-
SHA1
ccb4acd6938bf844635688e5285efd447cba5181
-
SHA256
4bbe1184a7a84dd21fb494bd1eac2860f841e244445a659c1da39a7fb36f9eae
-
SHA512
b5861a0bdf2ba043f2d759686661506d7b62369c0281db64d5cfbc2cdee4a91c326519dffc345a0c23ebbca835bd146704b3ed12a11bcd5fe2fa70f6b1361a19
-
SSDEEP
98304:SLEtdFByeLhamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4ROBM2H3PuTy:SiFMeLceN/FJMIDJf0gsAGK4ROu2GTy
Behavioral task
behavioral1
Sample
EZFNDebbuger.exe
Resource
win11-20240704-en
Malware Config
Targets
-
-
Target
EZFNDebbuger.exe
-
Size
6.0MB
-
MD5
54b41e1a53a618cc3d5df651194a7246
-
SHA1
ccb4acd6938bf844635688e5285efd447cba5181
-
SHA256
4bbe1184a7a84dd21fb494bd1eac2860f841e244445a659c1da39a7fb36f9eae
-
SHA512
b5861a0bdf2ba043f2d759686661506d7b62369c0281db64d5cfbc2cdee4a91c326519dffc345a0c23ebbca835bd146704b3ed12a11bcd5fe2fa70f6b1361a19
-
SSDEEP
98304:SLEtdFByeLhamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4ROBM2H3PuTy:SiFMeLceN/FJMIDJf0gsAGK4ROu2GTy
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
2Netsh Helper DLL
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Event Triggered Execution
2Netsh Helper DLL
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Hide Artifacts
2Hidden Files and Directories
2