General
-
Target
Command Prompt.lnk
-
Size
1KB
-
Sample
241031-haaj2ssgjq
-
MD5
9c82e435db86860edb5ced5f369bdfb3
-
SHA1
a63c6007e8679aac89632ff7ac88b29df4a11b9e
-
SHA256
23db6dd5bb4644850d5afe83f1126d582238162ab480479fb12a6b9998a82511
-
SHA512
727193fbc7019239f3a86238efd4f97395aebe20c62a315527216c8b878a05375d799d35483c4351c50e898a106834cbdf2139d2cf30a2d17ac1b3f6898ac109
Static task
static1
Behavioral task
behavioral1
Sample
Command Prompt.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Command Prompt.lnk
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Command Prompt.lnk
-
Size
1KB
-
MD5
9c82e435db86860edb5ced5f369bdfb3
-
SHA1
a63c6007e8679aac89632ff7ac88b29df4a11b9e
-
SHA256
23db6dd5bb4644850d5afe83f1126d582238162ab480479fb12a6b9998a82511
-
SHA512
727193fbc7019239f3a86238efd4f97395aebe20c62a315527216c8b878a05375d799d35483c4351c50e898a106834cbdf2139d2cf30a2d17ac1b3f6898ac109
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1