General

  • Target

    unnamed.jpg

  • Size

    2KB

  • Sample

    241020-ee3vlszbnl

  • MD5

    087eb2a8f789b07c7131db37697b532a

  • SHA1

    1d97aadf4582acc48556568c5d5efd343cb68727

  • SHA256

    f267afd0fb53d386e418dd2f85e350bc2b6410e48d24e936e7157bd9f010fb35

  • SHA512

    1288e363df67e9afb0996137ab3a834a5c7e8659a2594cc3b386ca601afb1bdafaf19501fa5ca84a66e7fac694633db939b8bc251edc886fb793da7aadb4e9c2

Malware Config

Targets

    • Target

      unnamed.jpg

    • Size

      2KB

    • MD5

      087eb2a8f789b07c7131db37697b532a

    • SHA1

      1d97aadf4582acc48556568c5d5efd343cb68727

    • SHA256

      f267afd0fb53d386e418dd2f85e350bc2b6410e48d24e936e7157bd9f010fb35

    • SHA512

      1288e363df67e9afb0996137ab3a834a5c7e8659a2594cc3b386ca601afb1bdafaf19501fa5ca84a66e7fac694633db939b8bc251edc886fb793da7aadb4e9c2

    • Modifies WinLogon for persistence

    • UAC bypass

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables RegEdit via registry modification

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks