General

  • Target

    45b3c819-d6a3-4eb2-b100-f27de8fd43cd.jpg

  • Size

    129KB

  • Sample

    240810-an2xfs1ara

  • MD5

    0e4761595dd9293341fbb297d0280199

  • SHA1

    848c2005a902e0c29151424dc6a7171cdb1d1d86

  • SHA256

    a87498030439ddd09263e5a676ab9bd44df9f36cfb3485a6fa7048c93bfcb1ab

  • SHA512

    a3a296fe179f034f838af59cf42d38121c0ab8afd701a35eae79159797b78e9e79f0fff4b32d61408253f49ba804dac83b478ae7635d49ef17bfcf1beb01bef8

  • SSDEEP

    3072:l3vwpkdGIig1S+8sjJEL5wHPGP0OE5466un85Ljb1Uiekq2:lfxd9voKvzG5LCie92

Malware Config

Targets

    • Target

      45b3c819-d6a3-4eb2-b100-f27de8fd43cd.jpg

    • Size

      129KB

    • MD5

      0e4761595dd9293341fbb297d0280199

    • SHA1

      848c2005a902e0c29151424dc6a7171cdb1d1d86

    • SHA256

      a87498030439ddd09263e5a676ab9bd44df9f36cfb3485a6fa7048c93bfcb1ab

    • SHA512

      a3a296fe179f034f838af59cf42d38121c0ab8afd701a35eae79159797b78e9e79f0fff4b32d61408253f49ba804dac83b478ae7635d49ef17bfcf1beb01bef8

    • SSDEEP

      3072:l3vwpkdGIig1S+8sjJEL5wHPGP0OE5466un85Ljb1Uiekq2:lfxd9voKvzG5LCie92

    • Creates new service(s)

    • Downloads MZ/PE file

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies Windows Firewall

    • Possible privilege escalation attempt

    • Stops running service(s)

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks