General

  • Target

    Command Prompt.lnk

  • Size

    1KB

  • Sample

    241031-haaj2ssgjq

  • MD5

    9c82e435db86860edb5ced5f369bdfb3

  • SHA1

    a63c6007e8679aac89632ff7ac88b29df4a11b9e

  • SHA256

    23db6dd5bb4644850d5afe83f1126d582238162ab480479fb12a6b9998a82511

  • SHA512

    727193fbc7019239f3a86238efd4f97395aebe20c62a315527216c8b878a05375d799d35483c4351c50e898a106834cbdf2139d2cf30a2d17ac1b3f6898ac109

Malware Config

Targets

    • Target

      Command Prompt.lnk

    • Size

      1KB

    • MD5

      9c82e435db86860edb5ced5f369bdfb3

    • SHA1

      a63c6007e8679aac89632ff7ac88b29df4a11b9e

    • SHA256

      23db6dd5bb4644850d5afe83f1126d582238162ab480479fb12a6b9998a82511

    • SHA512

      727193fbc7019239f3a86238efd4f97395aebe20c62a315527216c8b878a05375d799d35483c4351c50e898a106834cbdf2139d2cf30a2d17ac1b3f6898ac109

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks