Resubmissions

13-12-2024 20:55

241213-zqhn2aylh1 7

13-12-2024 20:50

241213-zmywvazpcq 7

13-12-2024 20:50

241213-zmjf6aylfw 7

General

  • Target

    tickle_protected (1).exe

  • Size

    21.5MB

  • Sample

    241213-zqhn2aylh1

  • MD5

    c768376c8456a7197cb08ef603530138

  • SHA1

    2ebff4e549ef5a7958801c88a569db3af4a7342c

  • SHA256

    4f8eee1b74f939d7a0e3c4934247256289c695c2410b4e8629bdd029dbe24bff

  • SHA512

    d3e9e458718ed25211cda67c08678b0bd5533bb623d196b4d3ad1c10bd10f65605cd668a3db478c50ea478219a2d21a0ee0ba178b917e8aa42e352e6609678d9

  • SSDEEP

    393216:qZiFBVEv1pFXPoLw9uJJj7YTW8oqcorXuFAe+NxA5VpdRwjd3Uwud1gYDsfjpXjD:MinVEvlPoLsuJliaqhrXuKe+TGFRw5MO

Malware Config

Targets

    • Target

      tickle_protected (1).exe

    • Size

      21.5MB

    • MD5

      c768376c8456a7197cb08ef603530138

    • SHA1

      2ebff4e549ef5a7958801c88a569db3af4a7342c

    • SHA256

      4f8eee1b74f939d7a0e3c4934247256289c695c2410b4e8629bdd029dbe24bff

    • SHA512

      d3e9e458718ed25211cda67c08678b0bd5533bb623d196b4d3ad1c10bd10f65605cd668a3db478c50ea478219a2d21a0ee0ba178b917e8aa42e352e6609678d9

    • SSDEEP

      393216:qZiFBVEv1pFXPoLw9uJJj7YTW8oqcorXuFAe+NxA5VpdRwjd3Uwud1gYDsfjpXjD:MinVEvlPoLsuJliaqhrXuKe+TGFRw5MO

    • A potential corporate email address has been identified in the URL: [email protected]

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Detected potential entity reuse from brand MICROSOFT.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks