General

  • Target

    WebsitePing.bat

  • Size

    139B

  • Sample

    240501-tws43aba9t

  • MD5

    e2f5cce0071d25d5753d35df2bc4eceb

  • SHA1

    41f2fe1ff4291f85606c602f05bfad08e0233461

  • SHA256

    4d49f0484b1ac88af0613235b6281cc59ad92181146c767033a0d2f9a9c9f2c0

  • SHA512

    adc0531d8e02503ce71b1261f0d652d0f9ab02cf15a860c803cb8e366178e05019c71aa75263fec18553ea550189d3cfed618c08232a67d4ad1e09226a90f397

Malware Config

Targets

    • Target

      WebsitePing.bat

    • Size

      139B

    • MD5

      e2f5cce0071d25d5753d35df2bc4eceb

    • SHA1

      41f2fe1ff4291f85606c602f05bfad08e0233461

    • SHA256

      4d49f0484b1ac88af0613235b6281cc59ad92181146c767033a0d2f9a9c9f2c0

    • SHA512

      adc0531d8e02503ce71b1261f0d652d0f9ab02cf15a860c803cb8e366178e05019c71aa75263fec18553ea550189d3cfed618c08232a67d4ad1e09226a90f397

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks