9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b | Triage

Submit
Reports

Overview

overview

Static

static

1

node-v22.11.0-x64.msi

windows7-x64

6

node-v22.11.0-x64.msi

windows10-2004-x64

Sharing

General

Target

node-v22.11.0-x64.msi
Size

28.9MB
Sample

241114-rxwv8sznat
MD5

fa9e1f3064a66913362e9bff7097cef5
SHA1

b34f1f9a9f6242c54486a4bc453a9336840b4425
SHA256

9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b
SHA512

ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f
SSDEEP

786432:EtShU+9S49htlhk3tKuiU9IsO9IP1/lBMS8k4:EAUK/U9IN961/l

Score

10^/10

discovery execution persistence privilege_escalation

Static task

static1

Behavioral task

behavioral1

Sample

node-v22.11.0-x64.msi

Resource

win7-20240903-en

persistence privilege_escalation

windows7-x64

7 signatures

600 seconds

Behavioral task

behavioral2

Sample

node-v22.11.0-x64.msi

Resource

win10v2004-20241007-en

discovery execution persistence privilege_escalation

windows10-2004-x64

37 signatures

600 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://chocolatey.org/install.ps1

Targets

- Target
  
  node-v22.11.0-x64.msi
- Size
  
  28.9MB
- MD5
  
  fa9e1f3064a66913362e9bff7097cef5
- SHA1
  
  b34f1f9a9f6242c54486a4bc453a9336840b4425
- SHA256
  
  9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b
- SHA512
  
  ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f
- SSDEEP
  
  786432:EtShU+9S49htlhk3tKuiU9IsO9IP1/lBMS8k4:EAUK/U9IN961/l
Score

10^/10

persistence privilege_escalation discovery execution
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Installer Packages

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Installer Packages

Defense Evasion

Modify Registry

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

persistenceprivilege_escalation

behavioral2

discoveryexecutionpersistenceprivilege_escalation

© 2018-2024

Terms | Privacy