General
-
Target
bad.ps1
-
Size
110B
-
Sample
241021-txggnayfmb
-
MD5
23459f07fe98c203526160a5b19ee84a
-
SHA1
b865f279d511965afb81d100d771557b02c5539f
-
SHA256
e0d913450fcaf59df1b73c7855bb838ff86ddc84045ca69c72ebc7a8c8a53b8f
-
SHA512
e3b4e3715eed7db197ba032f5b40b1f9476b8201cbfc39bfe60d8211cd921092c854b64e0921f28150f5dee212a688eb03630425b21b0645480594c6e8ac81a3
Malware Config
Extracted
http://traversecityspringbreak.com/o/o.png
Targets
-
-
Target
bad.ps1
-
Size
110B
-
MD5
23459f07fe98c203526160a5b19ee84a
-
SHA1
b865f279d511965afb81d100d771557b02c5539f
-
SHA256
e0d913450fcaf59df1b73c7855bb838ff86ddc84045ca69c72ebc7a8c8a53b8f
-
SHA512
e3b4e3715eed7db197ba032f5b40b1f9476b8201cbfc39bfe60d8211cd921092c854b64e0921f28150f5dee212a688eb03630425b21b0645480594c6e8ac81a3
Score10/10-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2