General

  • Target

    New Project (29).png

  • Size

    25KB

  • Sample

    241012-dwdflszgqb

  • MD5

    5981615b1918f78802fbd8a217d6ff7a

  • SHA1

    01793a46a1143243eb3c9689599a6dbbe3b190ab

  • SHA256

    ae06fad69f4dddab841ba6d7dc425feb6615f12d38df0e9f297dbbe6c1366892

  • SHA512

    c316e9f3a4585d1e0ef506071a0e46e8e75e51a7a061bddd015bae26cd8820e904ea9555640d85e494758ef39693a8e4ff1b76f7cdc4a3ead890ce249c50a9ce

  • SSDEEP

    384:kjoBZK4fenRaxTJD9YOHCz3xiZiJeZ8zuYpHIV29Wx/EbhouLimHqLED3V18q:UYQ4mnRWDTCzEMeZWuMoeA6oIYQFz

Malware Config

Targets

    • Target

      New Project (29).png

    • Size

      25KB

    • MD5

      5981615b1918f78802fbd8a217d6ff7a

    • SHA1

      01793a46a1143243eb3c9689599a6dbbe3b190ab

    • SHA256

      ae06fad69f4dddab841ba6d7dc425feb6615f12d38df0e9f297dbbe6c1366892

    • SHA512

      c316e9f3a4585d1e0ef506071a0e46e8e75e51a7a061bddd015bae26cd8820e904ea9555640d85e494758ef39693a8e4ff1b76f7cdc4a3ead890ce249c50a9ce

    • SSDEEP

      384:kjoBZK4fenRaxTJD9YOHCz3xiZiJeZ8zuYpHIV29Wx/EbhouLimHqLED3V18q:UYQ4mnRWDTCzEMeZWuMoeA6oIYQFz

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    • Possible privilege escalation attempt

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Detected potential entity reuse from brand MICROSOFT.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks