Overview

overview

8

Static

static

1

ubuntu2404...uk.ps1

windows10-2004-x64

8

Resubmissions

20-12-2024 21:06

241220-zxvl6stpcv 3

15-12-2024 03:29

241215-d2ekvssngx 4

15-12-2024 03:28

241215-d1lb1ssnft 4

06-12-2024 20:12

241206-yy9baavnft 4

06-12-2024 20:12

241206-yyyjsavnd1 3

06-12-2024 20:02

241206-ysa7asvkfv 8

06-12-2024 20:02

241206-yr3vxs1kbr 3

06-12-2024 19:59

241206-yqe3gavjft 4

06-12-2024 19:58

241206-yp89xs1jdk 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ubuntu2404-amd64-20240523-uk.ps1

  • Size

    1B

  • Sample

    241206-ysa7asvkfv

  • MD5

    f1290186a5d0b1ceab27f4e77c0c5d68

  • SHA1

    aff024fe4ab0fece4091de044c58c9ae4233383a

  • SHA256

    50e721e49c013f00c62cf59f2163542a9d8df02464efeb615d31051b0fddc326

  • SHA512

    aa66509891ad28030349ba9581e8c92528faab6a34349061a44b6f8fcd8d6877a67b05508983f12f8610302d1783401a07ec41c7e9ebd656de34ec60d84d9511

Score
8/10
discoveryevasionexecutionpersistencephishingprivilege_escalationtrojan

Malware Config

Targets

    • Target

      ubuntu2404-amd64-20240523-uk.ps1

    • Size

      1B

    • MD5

      f1290186a5d0b1ceab27f4e77c0c5d68

    • SHA1

      aff024fe4ab0fece4091de044c58c9ae4233383a

    • SHA256

      50e721e49c013f00c62cf59f2163542a9d8df02464efeb615d31051b0fddc326

    • SHA512

      aa66509891ad28030349ba9581e8c92528faab6a34349061a44b6f8fcd8d6877a67b05508983f12f8610302d1783401a07ec41c7e9ebd656de34ec60d84d9511

    Score
    8/10
    discoveryevasionexecutionpersistencephishingprivilege_escalationtrojan

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • A potential corporate email address has been identified in the URL: [email protected]

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks