Overview

overview

10

Static

static

1

sample.html

windows10-ltsc 2021-x64

10

Resubmissions

14-12-2024 09:08

241214-k365tsxlew 10

14-12-2024 09:06

241214-k26gxaxldt 7

14-12-2024 08:50

241214-krn5waymgp 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample

  • Size

    267KB

  • Sample

    241214-k365tsxlew

  • MD5

    65624ae0f03e4b0b37b193246a35de15

  • SHA1

    b91e192d5b0199ddf70bec6dbc5e6237791c80de

  • SHA256

    14c9466ae2013053d20cf15258c8fcdf886e752542c7a0519fd39537d91c537b

  • SHA512

    e3ab55d6104b4ba7c70f67e66e8663e461c6317df593d9478994abeb2292e5edef1bf1782d1535bf486a6618f6ff35ad05d6ddedd34570a0fa44d0d976c7a8f2

  • SSDEEP

    3072:7Oh7Oi+0joZWm0ITADlNRzh4bgEJfzrIugDAwtN+Tl/jS4:7Oh7A0joZQITeRIgEJHIbCS4

Score
10/10
microsoftdiscoveryevasionpersistencephishingprivilege_escalation

Malware Config

Targets

    • Target

      sample

    • Size

      267KB

    • MD5

      65624ae0f03e4b0b37b193246a35de15

    • SHA1

      b91e192d5b0199ddf70bec6dbc5e6237791c80de

    • SHA256

      14c9466ae2013053d20cf15258c8fcdf886e752542c7a0519fd39537d91c537b

    • SHA512

      e3ab55d6104b4ba7c70f67e66e8663e461c6317df593d9478994abeb2292e5edef1bf1782d1535bf486a6618f6ff35ad05d6ddedd34570a0fa44d0d976c7a8f2

    • SSDEEP

      3072:7Oh7Oi+0joZWm0ITADlNRzh4bgEJfzrIugDAwtN+Tl/jS4:7Oh7A0joZQITeRIgEJHIbCS4

    Score
    10/10
    microsoftdiscoveryevasionpersistencephishingprivilege_escalation

    • Modifies firewall policy service

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets service image path in registry

      persistence

    • A potential corporate email address has been identified in the URL: PUID0003BFFE8D71713A@84df9e7fe9f640afb435aaaaaaaaaaaa

      phishing

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

      persistenceprivilege_escalation

    • Detected potential entity reuse from brand MICROSOFT.

      phishingmicrosoft

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Authentication Package

1
T1547.002

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Authentication Package

1
T1547.002

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks