General
-
Target
main.exe
-
Size
19.7MB
-
Sample
241121-xpbg8avmfz
-
MD5
e0abfbd6999cf78a0e16e04e2a3ee207
-
SHA1
38c9a381c568936accda2a34225ab0fa8ee6c064
-
SHA256
d51d01caadea10c1f6178d453d7404f260785e45bc0abf54ad561995ac558dd8
-
SHA512
a223db5c4358a2e9f29c95878b92d63b200e2f068873ffcb32dcbe4ab2a6f2e9ffb4b146fb71d2b372124b24626c1969c879cdd14d66e721f1828f20967aa8aa
-
SSDEEP
393216:xvi6SQ9I6IkxSVpW828GG1+TtIiFqY9Z8D8CclJhB7vMyCcAm8zm1DIbz:cYMk2W828j1QtI7a8DZcL4BrmXDIX
Malware Config
Targets
-
-
Target
main.exe
-
Size
19.7MB
-
MD5
e0abfbd6999cf78a0e16e04e2a3ee207
-
SHA1
38c9a381c568936accda2a34225ab0fa8ee6c064
-
SHA256
d51d01caadea10c1f6178d453d7404f260785e45bc0abf54ad561995ac558dd8
-
SHA512
a223db5c4358a2e9f29c95878b92d63b200e2f068873ffcb32dcbe4ab2a6f2e9ffb4b146fb71d2b372124b24626c1969c879cdd14d66e721f1828f20967aa8aa
-
SSDEEP
393216:xvi6SQ9I6IkxSVpW828GG1+TtIiFqY9Z8D8CclJhB7vMyCcAm8zm1DIbz:cYMk2W828j1QtI7a8DZcL4BrmXDIX
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1