General

  • Target

    lolhahahackerwowohnoo.zip

  • Size

    356KB

  • Sample

    240811-qa7hsavdph

  • MD5

    99b1634b16aa0114a2a4034f89374ab2

  • SHA1

    ba0fa3a7c86d5beb626fd4ff9bdb3ef19aa07f36

  • SHA256

    0dd46341ec484a9634677c19ce94f04287f2f288c7bf4b751e0ca28a569986a2

  • SHA512

    19e1a0079fbf4beb68c856bf8728b094b8cd193e97b115af9f51f6b08481d8f32c1b2029649713685bb608dc1d2bb3d13cb398fb6607cf5a4cfa02b7877a752b

  • SSDEEP

    6144:e7gIXyojWkYhSlOipmMdb+BKqV8tj8axlWPpXD37mP9uL1+aUBejerUGOI2ta:+nvfqK8aDANy/h

Malware Config

Targets

    • Target

      lolhahahackerwowohnoo/hello.bat

    • Size

      2KB

    • MD5

      d51621e27667aad9fa339cc33b26cc52

    • SHA1

      6cbc2853cabf7f8b7fcd23c8f3ae10b3022b743a

    • SHA256

      f01291a8fcde83ba8e8cf48b30491bd0cb49d4ff8f3a3a029094032a13d71305

    • SHA512

      7a22494286a251945e7b1a735398be09105cd361aed033b0350bdecfd75e63d578513e20bf02a599b0ec616ece40254ed44c83ef4f7e18ab2b9de41c82a0bb82

    • Modifies visibility of file extensions in Explorer

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • System Binary Proxy Execution: Rundll32

      Abuse Rundll32 to proxy execution of malicious code.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Detected potential entity reuse from brand microsoft.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks