General

  • Target

    New Text Document.txt

  • Size

    5KB

  • Sample

    241107-2695bsyrdx

  • MD5

    f9cc9377104eb2f39cee48a92265f4c9

  • SHA1

    5d119ce0eadabd6be225a2ae9ba7f644487d4595

  • SHA256

    e5bc6a53e11e65e89064824af41a5d2228ae513ecbfe1b76b6169d7228daa042

  • SHA512

    d549fe3c285da2aaf1dba0f78dfc87e728e80620bc2e4a0a0afac5ea6c89fb4ccf37cd79c691f7eb33e27c02b5c3a6ea569ab7ff58cd587d88f6b55bce31b9c9

  • SSDEEP

    96:7qS/wHjQ+zC+26TArMA2Q8BL/paYx3pjzxhy/MfJCY4i91/t91WP9zD91XG91UCC:2S/kHvABm0MFDJb9w0gOs

Malware Config

Targets

    • Target

      New Text Document.txt

    • Size

      5KB

    • MD5

      f9cc9377104eb2f39cee48a92265f4c9

    • SHA1

      5d119ce0eadabd6be225a2ae9ba7f644487d4595

    • SHA256

      e5bc6a53e11e65e89064824af41a5d2228ae513ecbfe1b76b6169d7228daa042

    • SHA512

      d549fe3c285da2aaf1dba0f78dfc87e728e80620bc2e4a0a0afac5ea6c89fb4ccf37cd79c691f7eb33e27c02b5c3a6ea569ab7ff58cd587d88f6b55bce31b9c9

    • SSDEEP

      96:7qS/wHjQ+zC+26TArMA2Q8BL/paYx3pjzxhy/MfJCY4i91/t91WP9zD91XG91UCC:2S/kHvABm0MFDJb9w0gOs

    • Downloads MZ/PE file

    • A potential corporate email address has been identified in the URL: =@L

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Probable phishing domain

MITRE ATT&CK Enterprise v15

Tasks