General

  • Target

    cya's FN DMA.zip

  • Size

    6.7MB

  • Sample

    241110-cxa67sxjbs

  • MD5

    22ef89be6232e4e5f0d90e325da9f83b

  • SHA1

    cd0637101f094e70df2ef95cf6f52bed22f59868

  • SHA256

    1f1ac4e53336d73a9328e4a7ce5fbbbc9720b9b8edc525b70674d0448dd8cc10

  • SHA512

    517d481f423fd695a91aef4dd0b3dffbdad4bb4e94a8371713033c295d5b40aed3ca946ade7192324248a38ca4204e0d8af349af6ce59d50cc87d8b87a9e8c64

  • SSDEEP

    196608:0GQmrsGsMO0mpxjNT4LPWhQ/Q/NRH3YJNsfwFo61FsB:0zmgBAPWhQ/RsreFK

Malware Config

Targets

    • Target

      cya's FN DMA.zip

    • Size

      6.7MB

    • MD5

      22ef89be6232e4e5f0d90e325da9f83b

    • SHA1

      cd0637101f094e70df2ef95cf6f52bed22f59868

    • SHA256

      1f1ac4e53336d73a9328e4a7ce5fbbbc9720b9b8edc525b70674d0448dd8cc10

    • SHA512

      517d481f423fd695a91aef4dd0b3dffbdad4bb4e94a8371713033c295d5b40aed3ca946ade7192324248a38ca4204e0d8af349af6ce59d50cc87d8b87a9e8c64

    • SSDEEP

      196608:0GQmrsGsMO0mpxjNT4LPWhQ/Q/NRH3YJNsfwFo61FsB:0zmgBAPWhQ/RsreFK

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks