Overview

overview

10

Static

static

1

FinalMom.bat

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FinalMom.bat

  • Size

    557KB

  • Sample

    240701-mphleswgpd

  • MD5

    e49481ba61b11f2825df521a57462210

  • SHA1

    26d2ddbd11e3ce9d0fa8c543dde9100ad4481060

  • SHA256

    55750bb33fca74ca670a0e4ec61d952178cf9882cc7c84416ddea253c31d1ed6

  • SHA512

    3b66e19137da1b4fdfb37672cc82830185b33df7fdc04f5fe6702fb692239a97245d1720f0dbc19fc2f1444e66256b14931b2470d641243ab1951ccffceecd72

  • SSDEEP

    12288:5Lk7+AcmNSZwB7WuKRDR3cktsrzRD1697kgWsGkFyoEuT8JGbEDk+:BC+ZRN3PtIFGvGKyoLTsfL

Score
10/10
executionpersistence

Malware Config

Targets

    • Target

      FinalMom.bat

    • Size

      557KB

    • MD5

      e49481ba61b11f2825df521a57462210

    • SHA1

      26d2ddbd11e3ce9d0fa8c543dde9100ad4481060

    • SHA256

      55750bb33fca74ca670a0e4ec61d952178cf9882cc7c84416ddea253c31d1ed6

    • SHA512

      3b66e19137da1b4fdfb37672cc82830185b33df7fdc04f5fe6702fb692239a97245d1720f0dbc19fc2f1444e66256b14931b2470d641243ab1951ccffceecd72

    • SSDEEP

      12288:5Lk7+AcmNSZwB7WuKRDR3cktsrzRD1697kgWsGkFyoEuT8JGbEDk+:BC+ZRN3PtIFGvGKyoLTsfL

    Score
    10/10
    executionpersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks