General
-
Target
02ad87e946a127508c1741205a106e1a05da79f5b20ec10bf1507aae01f949dc.lnk
-
Size
2KB
-
Sample
241126-mfylaatldl
-
MD5
464e2f94ac97b9bf225d303e0d05f114
-
SHA1
d8511f96d21071b1d5a4cf923ba84ed1fb67df46
-
SHA256
02ad87e946a127508c1741205a106e1a05da79f5b20ec10bf1507aae01f949dc
-
SHA512
e3e3d3aa76c7d7fc7af1f3d3e339eb3c255d25858fce413479cf8ba43af7137d88dc5cf2127c4b24e30973d65bdd5b76cb9fd0c187604c609f6a1a8438725ff6
Malware Config
Targets
-
-
Target
02ad87e946a127508c1741205a106e1a05da79f5b20ec10bf1507aae01f949dc.lnk
-
Size
2KB
-
MD5
464e2f94ac97b9bf225d303e0d05f114
-
SHA1
d8511f96d21071b1d5a4cf923ba84ed1fb67df46
-
SHA256
02ad87e946a127508c1741205a106e1a05da79f5b20ec10bf1507aae01f949dc
-
SHA512
e3e3d3aa76c7d7fc7af1f3d3e339eb3c255d25858fce413479cf8ba43af7137d88dc5cf2127c4b24e30973d65bdd5b76cb9fd0c187604c609f6a1a8438725ff6
Score9/10-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Users
1Indicator Removal
1Network Share Connection Removal
1Modify Registry
1