0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8 | Triage

Sharing

General

Target

0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8.msi
Size

3.1MB
Sample

240928-gd2bhascma
MD5

d0f6a028fd07c851683f066ff7e1fd5d
SHA1

31a979b820d541059ac4672ff37851014fabb059
SHA256

0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8
SHA512

b59fdf602d477a178d4dad95fcce4d7fa442d529ca6b7d931c47633280d728c9199c54be041d89ba494f11da179f899337b0f10756a09c85e1f8f578ffb3eb8b
SSDEEP

49152:ipRh803EQqONeQDE5y6QHS+mrKcunU/qwYWS42CQlmI/pxpcx9O3cJa5tEvb:ipNEQqOAdfKcunUiwS42AI/pxKUtab

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Targets

- Target
  
  0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8.msi
- Size
  
  3.1MB
- MD5
  
  d0f6a028fd07c851683f066ff7e1fd5d
- SHA1
  
  31a979b820d541059ac4672ff37851014fabb059
- SHA256
  
  0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8
- SHA512
  
  b59fdf602d477a178d4dad95fcce4d7fa442d529ca6b7d931c47633280d728c9199c54be041d89ba494f11da179f899337b0f10756a09c85e1f8f578ffb3eb8b
- SSDEEP
  
  49152:ipRh803EQqONeQDE5y6QHS+mrKcunU/qwYWS42CQlmI/pxpcx9O3cJa5tEvb:ipNEQqOAdfKcunUiwS42AI/pxKUtab
Score

7^/10

discovery persistence privilege_escalation
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Installer Packages

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Installer Packages

Defense Evasion

File and Directory Permissions Modification

Modify Registry

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceprivilege_escalation

behavioral2

discoverypersistenceprivilege_escalation