41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229 | Triage

Sharing

General

Target

41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229.lnk
Size

2KB
Sample

240917-bjwejsyfqk
MD5

37fb639a295daa760c739bc21c553406
SHA1

50e4d8a112e4aad2c984d22f83c80c8723f232da
SHA256

41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
SHA512

28d67d4d788f301590164f28d38dd2aa73e4669eb6886e7536bec47aea08f2c27c3a507ac1636d907735f644d5e67184f420fd1e556629e10b83c8d338ef159a

Score

8^/10

execution persistence

Malware Config

Targets

- Target
  
  41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229.lnk
- Size
  
  2KB
- MD5
  
  37fb639a295daa760c739bc21c553406
- SHA1
  
  50e4d8a112e4aad2c984d22f83c80c8723f232da
- SHA256
  
  41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
- SHA512
  
  28d67d4d788f301590164f28d38dd2aa73e4669eb6886e7536bec47aea08f2c27c3a507ac1636d907735f644d5e67184f420fd1e556629e10b83c8d338ef159a
Score

8^/10

execution persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

executionpersistence