General

  • Target

    Pictures.rar

  • Size

    34.6MB

  • Sample

    241222-vy6nlstrb1

  • MD5

    d6e4e0871300d0fe0a62f419ea0e9ccc

  • SHA1

    bde8c160f75be4c537e1645d0e1a1f6ed819876a

  • SHA256

    3b55b02384a6212893042c5ac116ec1d9d56b2a007564eac049ce1e6b7cc84a1

  • SHA512

    22b0a214640892a5622a9b07c0cd96a5adf33dc519baa2709438dfaa742aa05432f987108cdec1895bde06d0b436045e628ade753d1248775ee4ce7e52bba78d

  • SSDEEP

    393216:9O5EsPm/Ph+eqQcbYX7bWYAvEpE9x2i2YYWd4A1mGDN3S0w/3qJxtDzqQkSgVk9A:8D+/VqQGNidYBR94v6JDnwwd4ygDTRlt

Malware Config

Targets

    • Target

      Pictures.rar

    • Size

      34.6MB

    • MD5

      d6e4e0871300d0fe0a62f419ea0e9ccc

    • SHA1

      bde8c160f75be4c537e1645d0e1a1f6ed819876a

    • SHA256

      3b55b02384a6212893042c5ac116ec1d9d56b2a007564eac049ce1e6b7cc84a1

    • SHA512

      22b0a214640892a5622a9b07c0cd96a5adf33dc519baa2709438dfaa742aa05432f987108cdec1895bde06d0b436045e628ade753d1248775ee4ce7e52bba78d

    • SSDEEP

      393216:9O5EsPm/Ph+eqQcbYX7bWYAvEpE9x2i2YYWd4A1mGDN3S0w/3qJxtDzqQkSgVk9A:8D+/VqQGNidYBR94v6JDnwwd4ygDTRlt

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks