General
-
Target
45b3c819-d6a3-4eb2-b100-f27de8fd43cd.jpg
-
Size
129KB
-
Sample
240810-an2xfs1ara
-
MD5
0e4761595dd9293341fbb297d0280199
-
SHA1
848c2005a902e0c29151424dc6a7171cdb1d1d86
-
SHA256
a87498030439ddd09263e5a676ab9bd44df9f36cfb3485a6fa7048c93bfcb1ab
-
SHA512
a3a296fe179f034f838af59cf42d38121c0ab8afd701a35eae79159797b78e9e79f0fff4b32d61408253f49ba804dac83b478ae7635d49ef17bfcf1beb01bef8
-
SSDEEP
3072:l3vwpkdGIig1S+8sjJEL5wHPGP0OE5466un85Ljb1Uiekq2:lfxd9voKvzG5LCie92
Static task
static1
Behavioral task
behavioral1
Sample
45b3c819-d6a3-4eb2-b100-f27de8fd43cd.jpg
Resource
win11-20240802-en
Malware Config
Targets
-
-
Target
45b3c819-d6a3-4eb2-b100-f27de8fd43cd.jpg
-
Size
129KB
-
MD5
0e4761595dd9293341fbb297d0280199
-
SHA1
848c2005a902e0c29151424dc6a7171cdb1d1d86
-
SHA256
a87498030439ddd09263e5a676ab9bd44df9f36cfb3485a6fa7048c93bfcb1ab
-
SHA512
a3a296fe179f034f838af59cf42d38121c0ab8afd701a35eae79159797b78e9e79f0fff4b32d61408253f49ba804dac83b478ae7635d49ef17bfcf1beb01bef8
-
SSDEEP
3072:l3vwpkdGIig1S+8sjJEL5wHPGP0OE5466un85Ljb1Uiekq2:lfxd9voKvzG5LCie92
-
Creates new service(s)
-
Downloads MZ/PE file
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall
-
Possible privilege escalation attempt
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
2SIP and Trust Provider Hijacking
2