General

  • Target

    https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbks2WVNJVmV5a3VWZU5tZm53Sy1NZ3FOc1ZxZ3xBQ3Jtc0tsS1RKNGRPMU54NmtZUzhBQnN1aVRwcDdFWTdUWlVUbHJYQzRuTXFNUHpxSHNnc1NhZjJXX3JKVHpCWWNLLUcwWUxMc2JfNk1admt1SEM3U3dfOUc5X05DWGZSWVA1OExjbXF4WGNoM0k0MlFVNUt5SQ&q=https%3A%2F%2Fsites.google.com%2Fview%2Fex1aucn..&v=mKnxdTv6-EE

  • Sample

    241113-3c6eqa1fnn

Malware Config

Targets

    • Target

      https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbks2WVNJVmV5a3VWZU5tZm53Sy1NZ3FOc1ZxZ3xBQ3Jtc0tsS1RKNGRPMU54NmtZUzhBQnN1aVRwcDdFWTdUWlVUbHJYQzRuTXFNUHpxSHNnc1NhZjJXX3JKVHpCWWNLLUcwWUxMc2JfNk1admt1SEM3U3dfOUc5X05DWGZSWVA1OExjbXF4WGNoM0k0MlFVNUt5SQ&q=https%3A%2F%2Fsites.google.com%2Fview%2Fex1aucn..&v=mKnxdTv6-EE

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Downloads MZ/PE file

    • A potential corporate email address has been identified in the URL: core@2

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks