Overview

overview

10

Static

static

fucker script.exe

windows7-x64

6

fucker script.exe

windows10-1703-x64

1

fucker script.exe

windows10-2004-x64

10

Resubmissions

05-08-2022 22:21

220805-196qmsaab4 8

05-08-2022 22:20

220805-19grhsfecr 6

05-08-2022 10:34

220805-mml6tsbfe3 10

04-08-2022 16:23

220804-tvwtkagge4 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbehxx.zip

  • Size

    33KB

  • Sample

    220804-tvwtkagge4

  • MD5

    dfb15c3bdeff52b5b2d88f8cca0b76ff

  • SHA1

    02ce8a26a825cbe44a28820415db10cf5c75cf27

  • SHA256

    2e80059a92e23f07ece25cd25f4e855cb01c8623a5ca9d8d63756c2273368563

  • SHA512

    b411274f30dd9c71d5bb14a17f4978665d6e8cc45dc379b9f694bca365f69b02828eca7cfa327ae3de654f15169233c3ed430cda1a614ecb659bd23b5327ed1d

Score
10/10
microsoftcollectionpersistencephishing

Malware Config

Targets

    • Target

      fucker script.exe

    • Size

      104KB

    • MD5

      db0655efbe0dbdef1df06207f5cb5b5b

    • SHA1

      a8d48d5c0042ce359178d018c0873e8a7c2f27e8

    • SHA256

      52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56

    • SHA512

      5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704

    Score
    10/10
    microsoftcollectionphishingpersistence

    • Modifies system executable filetype association

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Registers COM server for autorun

      persistence

    • Accesses Microsoft Outlook profiles

      collection

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks