Resubmissions

04/11/2024, 20:55

241104-zqy11sxbqe 8

04/11/2024, 20:52

241104-znv7caxbmc 10

04/11/2024, 20:32

241104-zbrcmaxclp 8

04/11/2024, 20:28

241104-y9ek2swgrf 8

General

  • Target

    sample

  • Size

    66KB

  • Sample

    241104-zbrcmaxclp

  • MD5

    cd1b57f91a68cc5b241ca6b07499aa0f

  • SHA1

    868e51ad2a98642c5a91d2f0b4d65cd6bf8f97f3

  • SHA256

    7909ad298eba1b0e68c4e7a905563960e39bf5fdc324663e91dc9bf1af7e4565

  • SHA512

    c61b85472831fc0e115f75106d8fba08d83be592e7e9ec567eacd45c146fe9e1d35c5d970642687dcff9f6452098ab13eb952057e42c79865c8e72138fc3d8f4

  • SSDEEP

    1536:a69UFLCCwNieu/behNFZuSuWtWWxnqio1HSEpqc2SkASNWjII6ZsnJVrYa5vfu6c:l9UFLhwskqio1HSEpqc2SkASNWjII6Zx

Malware Config

Targets

    • Target

      sample

    • Size

      66KB

    • MD5

      cd1b57f91a68cc5b241ca6b07499aa0f

    • SHA1

      868e51ad2a98642c5a91d2f0b4d65cd6bf8f97f3

    • SHA256

      7909ad298eba1b0e68c4e7a905563960e39bf5fdc324663e91dc9bf1af7e4565

    • SHA512

      c61b85472831fc0e115f75106d8fba08d83be592e7e9ec567eacd45c146fe9e1d35c5d970642687dcff9f6452098ab13eb952057e42c79865c8e72138fc3d8f4

    • SSDEEP

      1536:a69UFLCCwNieu/behNFZuSuWtWWxnqio1HSEpqc2SkASNWjII6ZsnJVrYa5vfu6c:l9UFLhwskqio1HSEpqc2SkASNWjII6Zx

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Contacts a large (502) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks