General

  • Target

    discord avatar.png

  • Size

    1.7MB

  • Sample

    240816-pg7xfstgke

  • MD5

    abec54b62898617b9be74f17ad596407

  • SHA1

    96eeee626b55e349d5f1b52e2e8e63cdc1597153

  • SHA256

    0c6bbbed3657cdfcff1d2d1cff246d3b506345b93a8ea39f4d09fabe97690a26

  • SHA512

    2bd06bf3bf1488b71d298bedb420db667e8f98e003b68541a10f666d19ce5bee4f9598b28e54b16dd2f9e9433e41ecd839491833c0e472b177fcbc7f285938e2

  • SSDEEP

    49152:nW4Cbp1xZz+W98KOH747UdDfJlE3SXNvQLPzYkogZuM:waWydrE3SdsPSAuM

Malware Config

Targets

    • Target

      discord avatar.png

    • Size

      1.7MB

    • MD5

      abec54b62898617b9be74f17ad596407

    • SHA1

      96eeee626b55e349d5f1b52e2e8e63cdc1597153

    • SHA256

      0c6bbbed3657cdfcff1d2d1cff246d3b506345b93a8ea39f4d09fabe97690a26

    • SHA512

      2bd06bf3bf1488b71d298bedb420db667e8f98e003b68541a10f666d19ce5bee4f9598b28e54b16dd2f9e9433e41ecd839491833c0e472b177fcbc7f285938e2

    • SSDEEP

      49152:nW4Cbp1xZz+W98KOH747UdDfJlE3SXNvQLPzYkogZuM:waWydrE3SdsPSAuM

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Contacts a large (626) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Possible privilege escalation attempt

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Modifies powershell logging option

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks