acc0fdad63957b4a9ffcdeb3c5ce0e4b841b1ff66f657d8bb6a430f210460629

General

Target

empyrean
Size

321KB
Sample

240701-xrrbfsxhqm
MD5

d149619ee1197b973d809098ac07478b
SHA1

dcdb3d9cb88f4e039cc56e9f423016081c8cde23
SHA256

acc0fdad63957b4a9ffcdeb3c5ce0e4b841b1ff66f657d8bb6a430f210460629
SHA512

c5181f2032e4c595f1d2a82b52c19288f34d3a5b9c1259f15f13c666241ac51e15dfdd267a955d8dc169468f6129565b1ad4f353b1fc7edbb5a6ed040d4f1e4c
SSDEEP

6144:cZo5b2n9dH5M2vkm0y3Cl3pId9RL9wvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViT:Eo5b2n9dH5M2vkm0y3Cl3pId9RL9wvZf

Score

8^/10

Malware Config

Targets

- Target
  
  empyrean
- Size
  
  321KB
- MD5
  
  d149619ee1197b973d809098ac07478b
- SHA1
  
  dcdb3d9cb88f4e039cc56e9f423016081c8cde23
- SHA256
  
  acc0fdad63957b4a9ffcdeb3c5ce0e4b841b1ff66f657d8bb6a430f210460629
- SHA512
  
  c5181f2032e4c595f1d2a82b52c19288f34d3a5b9c1259f15f13c666241ac51e15dfdd267a955d8dc169468f6129565b1ad4f353b1fc7edbb5a6ed040d4f1e4c
- SSDEEP
  
  6144:cZo5b2n9dH5M2vkm0y3Cl3pId9RL9wvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViT:Eo5b2n9dH5M2vkm0y3Cl3pId9RL9wvZf
Score

8^/10

discovery execution persistence privilege_escalation
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2