General

  • Target

    Fisch.exe

  • Size

    37.3MB

  • Sample

    241112-1n5w8a1lfs

  • MD5

    7ff657b71e0884066de97dfef21938fb

  • SHA1

    3957b26c8c9926adc03382dc26a16d48a6c9d565

  • SHA256

    0738084ae2ae02b91998207bdfe327d26575b12b25cb8ff5937ea0ed974bf95e

  • SHA512

    2cd283cef2572627bbdf8794da41c074c6eb2172b8e1a33a7a9820e7dadc952ce5a126889cc6dd6c6ebad2988119efbe8e4b3f80698d73d3fb020ea1a5856556

  • SSDEEP

    786432:B3on1HvSzxAMN9FZArYsQxcPvx7OZuEyL:BYn1HvSpN9XmIctuyL

Malware Config

Targets

    • Target

      Fisch.exe

    • Size

      37.3MB

    • MD5

      7ff657b71e0884066de97dfef21938fb

    • SHA1

      3957b26c8c9926adc03382dc26a16d48a6c9d565

    • SHA256

      0738084ae2ae02b91998207bdfe327d26575b12b25cb8ff5937ea0ed974bf95e

    • SHA512

      2cd283cef2572627bbdf8794da41c074c6eb2172b8e1a33a7a9820e7dadc952ce5a126889cc6dd6c6ebad2988119efbe8e4b3f80698d73d3fb020ea1a5856556

    • SSDEEP

      786432:B3on1HvSzxAMN9FZArYsQxcPvx7OZuEyL:BYn1HvSpN9XmIctuyL

    • UAC bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • A potential corporate email address has been identified in the URL: [email protected]

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks