General
-
Target
file01.ps1
-
Size
217B
-
Sample
241109-xyqy9stjap
-
MD5
1a80b1040ee50729e293d052f1088b39
-
SHA1
a920b93ea1598f81b159b6141c0ff624a1cc8f60
-
SHA256
daf1da2ab571c5e5d8be76c11bf8e63860b019cccbfbe685001cebfec4c241f5
-
SHA512
07a4ee1f9f88fcff46c3fc5ce4543d959893a0de3f19fe5f3ab438260f4e2b9bbde719b632b2ca648ae3f893a4a1780a048e2ff802eaa1ae76ef0d6d04edbcb0
Static task
static1
Behavioral task
behavioral1
Sample
file01.ps1
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
file01.ps1
Resource
win11-20241023-en
Malware Config
Targets
-
-
Target
file01.ps1
-
Size
217B
-
MD5
1a80b1040ee50729e293d052f1088b39
-
SHA1
a920b93ea1598f81b159b6141c0ff624a1cc8f60
-
SHA256
daf1da2ab571c5e5d8be76c11bf8e63860b019cccbfbe685001cebfec4c241f5
-
SHA512
07a4ee1f9f88fcff46c3fc5ce4543d959893a0de3f19fe5f3ab438260f4e2b9bbde719b632b2ca648ae3f893a4a1780a048e2ff802eaa1ae76ef0d6d04edbcb0
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1