General

  • Target

    file01.ps1

  • Size

    217B

  • Sample

    241109-xyqy9stjap

  • MD5

    1a80b1040ee50729e293d052f1088b39

  • SHA1

    a920b93ea1598f81b159b6141c0ff624a1cc8f60

  • SHA256

    daf1da2ab571c5e5d8be76c11bf8e63860b019cccbfbe685001cebfec4c241f5

  • SHA512

    07a4ee1f9f88fcff46c3fc5ce4543d959893a0de3f19fe5f3ab438260f4e2b9bbde719b632b2ca648ae3f893a4a1780a048e2ff802eaa1ae76ef0d6d04edbcb0

Malware Config

Targets

    • Target

      file01.ps1

    • Size

      217B

    • MD5

      1a80b1040ee50729e293d052f1088b39

    • SHA1

      a920b93ea1598f81b159b6141c0ff624a1cc8f60

    • SHA256

      daf1da2ab571c5e5d8be76c11bf8e63860b019cccbfbe685001cebfec4c241f5

    • SHA512

      07a4ee1f9f88fcff46c3fc5ce4543d959893a0de3f19fe5f3ab438260f4e2b9bbde719b632b2ca648ae3f893a4a1780a048e2ff802eaa1ae76ef0d6d04edbcb0

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks