General

  • Target

    MDE_File_Sample_21e080d2a38237413aad3d5fa5b54307430eb864.zip

  • Size

    681KB

  • Sample

    240809-p5mlesvcjc

  • MD5

    9297273a58cf6d7a0b394cee4b17b42b

  • SHA1

    f01476c1c7e20b6e505553743b69d096198ba551

  • SHA256

    21a146ee189e35127d48b4d54c3837f65a086324caffe777d5e8e9e0b4c1ee8b

  • SHA512

    bca4201bcf7e4489c39a3dcddafca46d58498e2069f278245f00b0b36ee7cdd9a771b4e6ad33255e8683b439b578828224b3659d15b8f1221a1a2f9eb105ec61

  • SSDEEP

    12288:2qz7Di8ivDzcfEV2LgT6PqERZ5vEvMlTw4//Y8GlS3zq5QI99QFht8MiFfp8O:jDHi7AE63Z5laSO5PIt8MU

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://didsit.com/data.php?9427

exe.dropper

http://didsit.com/data.php?9427

Targets

    • Target

      Update (1).js

    • Size

      3.9MB

    • MD5

      c4aefe9f1ce6862df4f981938a2147f1

    • SHA1

      21e080d2a38237413aad3d5fa5b54307430eb864

    • SHA256

      7f76bf19775cb619c66e6636e463fb75f8d2e1c279c7d02806eb5d0674728b02

    • SHA512

      c274cca49452500c9e5cdf4316a9be130df1a2b54e376ba23d2ba9f14fb5d01f30afc4b5aeca184c11a5eba6f7eef8c851c843083b0ee8c474ad1765b49021d8

    • SSDEEP

      49152:6sz6FvpOiHY7sz6FvpOiHYXsz6FvpOiHY7sz6FvpOiHYnsz6FvpOiHY7sz6FvpOQ:60WQ0Ws0WQ0We0WQ0W5

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks