General
-
Target
mainscript.exe
-
Size
30.1MB
-
Sample
241120-fmzctsscpn
-
MD5
3d9c6d34fe20a4d4127ac9f36d5cfbf5
-
SHA1
9a05e06d4e685e630e8afb55c1e1c44275e383ea
-
SHA256
9890a451ec626117db26329bfe7315f5317efec10f40d6963ef09c740a1548bc
-
SHA512
cc01bfcb7154224c33451e87af77a366c4003a1bcdbf46fb3d78b923e7bbb5deb85ea8449e5650f3f6f25785f21e6953ee329f19d1513157c64092fa4357b1e6
-
SSDEEP
786432:eG9Yi8MkQ1JnW828P51QtIbSw1JIxHEha8DZcQl8fBD0DIAKtE+tr:J9SA1Wr8PXiI2gNs6Ofp5xtE+t
Malware Config
Targets
-
-
Target
mainscript.exe
-
Size
30.1MB
-
MD5
3d9c6d34fe20a4d4127ac9f36d5cfbf5
-
SHA1
9a05e06d4e685e630e8afb55c1e1c44275e383ea
-
SHA256
9890a451ec626117db26329bfe7315f5317efec10f40d6963ef09c740a1548bc
-
SHA512
cc01bfcb7154224c33451e87af77a366c4003a1bcdbf46fb3d78b923e7bbb5deb85ea8449e5650f3f6f25785f21e6953ee329f19d1513157c64092fa4357b1e6
-
SSDEEP
786432:eG9Yi8MkQ1JnW828P51QtIbSw1JIxHEha8DZcQl8fBD0DIAKtE+tr:J9SA1Wr8PXiI2gNs6Ofp5xtE+t
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1