General

  • Target

    noescape

  • Size

    8KB

  • Sample

    241019-1bn3yazelb

  • MD5

    df0571b6df68961d29e58688c1a49608

  • SHA1

    1557b128ad0ae94e0d6b4ee0430d16df23b807e2

  • SHA256

    35d3c061e0a8ff5920e025c58d331eafef9d12fbd52a572eead15ecd19ab0a55

  • SHA512

    ad7131e64b8258a8336362bb9f3cc501e44218683eb1074f495c76042771bcf20a3454819b9f9c37f6adf35c3a078c626c41d4adfb68939cffec47b6382a9e48

  • SSDEEP

    192:PN2x2BwKBF+/rYQA0kmNiGy2aLAaShHcNs4syYN:AxTKBF+/BA0kEG8qNNUN

Malware Config

Targets

    • Target

      noescape

    • Size

      8KB

    • MD5

      df0571b6df68961d29e58688c1a49608

    • SHA1

      1557b128ad0ae94e0d6b4ee0430d16df23b807e2

    • SHA256

      35d3c061e0a8ff5920e025c58d331eafef9d12fbd52a572eead15ecd19ab0a55

    • SHA512

      ad7131e64b8258a8336362bb9f3cc501e44218683eb1074f495c76042771bcf20a3454819b9f9c37f6adf35c3a078c626c41d4adfb68939cffec47b6382a9e48

    • SSDEEP

      192:PN2x2BwKBF+/rYQA0kmNiGy2aLAaShHcNs4syYN:AxTKBF+/BA0kEG8qNNUN

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks