01c29ea7e2b4ddecf7ba8a1044c8238a7a1e9bc98f2a5ffa33f43390fcedbe28 | Triage

Sharing

General

Target

dont run this.bat
Size

1013B
Sample

240603-b75ywsfa3w
MD5

b4b00681eae6600fb830308d762457fd
SHA1

d2d11d34e7c91bf486833265adade5769f406618
SHA256

01c29ea7e2b4ddecf7ba8a1044c8238a7a1e9bc98f2a5ffa33f43390fcedbe28
SHA512

d4b4358580da3018436a9a34ec151f9912cc1675edb9474094570ca6aef4e427bf15de28f24f354a9b8cb0554c094f5c941e6461dc350fcad45ac9770b338209

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://discord.com/api/webhooks/1247000288225788047/oaRJxaQkZ4jd8bhyZ6D4CaCKZyABlCK57qxox_DUnvGNxpCHeu453BFy2inhhHWNBd7A

Targets

- Target
  
  dont run this.bat
- Size
  
  1013B
- MD5
  
  b4b00681eae6600fb830308d762457fd
- SHA1
  
  d2d11d34e7c91bf486833265adade5769f406618
- SHA256
  
  01c29ea7e2b4ddecf7ba8a1044c8238a7a1e9bc98f2a5ffa33f43390fcedbe28
- SHA512
  
  d4b4358580da3018436a9a34ec151f9912cc1675edb9474094570ca6aef4e427bf15de28f24f354a9b8cb0554c094f5c941e6461dc350fcad45ac9770b338209
Score

10^/10

execution
- Blocklisted process makes network request
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Modifies termsrv.dll
  Commonly used to allow simultaneous RDP sessions.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2