General

  • Target

    08112024_0046_TRRECHN_3641.js.zip

  • Size

    11KB

  • Sample

    241108-a4lv6s1fnj

  • MD5

    7c0b61635c612491ede7d1520b32e75c

  • SHA1

    2edcc26f7f4f5b83399753b118b63ae897f10c00

  • SHA256

    c13e647888ffccd327364dfc27119e95cfcf8b3e8c1ea0a047a5d32849f95606

  • SHA512

    f713247659d8857c1fa8fabd05595c8a9e50339d26a440ee5b2c464b4b97e6522c9fed9d67a48bf3b8a888c1cf074aeebe913f1fc77a20309f5b783accc3d2a7

  • SSDEEP

    192:ROC+hVJrSQ0bgkMnXH179aWZjZYGFvG0xHh8h+VABVBb5uvPdlvipGy:s9tP0bgkA1HjZYG1G0xeh+OBVBgHI

Malware Config

Targets

    • Target

      TRRECHN_3641.js

    • Size

      11KB

    • MD5

      622ed073989d08a15dc77c40cb8a3ed1

    • SHA1

      1b8d364b5ef571c306bc00697f10456b3c48b5ed

    • SHA256

      547943260e1cc19a3bb9535a712c05ec2fa2dba38c2db10541c146a3df77c687

    • SHA512

      82d01b51720b0a27312141d70f89d416fe0039e178cd0d04df8c01c78578f466eddcfaf62369f4d70d647ed4d0e41e5a920dad65266d3503074ec143ffe98c85

    • SSDEEP

      192:AC+hVJrSQ0bgkMnXH179aWZjZYGFvG0xHh8h+VABVBb5uvPdlvipv:A9tP0bgkA1HjZYG1G0xeh+OBVBgHC

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks