General
-
Target
MDE_File_Sample_3485771d900dc9966bf3af61eb4dcc8ccbba8c3f.zip
-
Size
5KB
-
Sample
241021-t244hs1cqn
-
MD5
0edc15b6782dcf4b8c9b6ad209966d68
-
SHA1
ccaeae09ff935dc07a572f45bc65a758f917f986
-
SHA256
e4017e74506ff5a941084b33374ab43a1abb231385c643d83e4dff2bfa1b8b57
-
SHA512
2b150ea8483cb9f5acd539df7c09eee7a37613f1d3eb5731a49534a68b103b4ca1fe0f8ba5060c003dcd2e4f50d2d17fcd9019a40a371f0075d94cfd1c4963b9
-
SSDEEP
96:4uaxqRn55XyPEFGdFVbvTW6UCfT1/ycdEcWxOTG2gw/lMihRtaDF6LEANuHTgrqi:bl55XyNprdycdz2OTG/wlMiDt51nrp
Malware Config
Extracted
http://traversecityspringbreak.com/o/o.png
Targets
-
-
Target
ChromeUpdate_130.0.6723.js
-
Size
79KB
-
MD5
4b0f51e544587d445b555d456fb4b4a3
-
SHA1
3485771d900dc9966bf3af61eb4dcc8ccbba8c3f
-
SHA256
9d81f9c0cc790f6516f7866f897d41a61bcc8a4d609f64db71c7978c144d89e9
-
SHA512
12ab55347c3d8b258e1dfb555f98c2eb83daf81e1e9ec214b0ed540c76f60a37681269ce304dd527d7cbbda3c1ed387c7159a69c744c149cdfdab77efd78666e
-
SSDEEP
768:wOeOeOOO4NJNI+cXecXIYxda6GbcX2oj/xvDcX2mlooVslo4LTcXGUcXK:Hj/o
Score10/10-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1