Resubmissions

10/06/2025, 17:52

250610-wfzb9a1qy3 1

10/06/2025, 17:35

250610-v56besywgw 8

10/06/2025, 17:32

250610-v4fpdaywex 3

General

  • Target

    image11.jpeg

  • Size

    151KB

  • Sample

    250610-v56besywgw

  • MD5

    af53531e71b9acd7b4fa190a5113654b

  • SHA1

    556224eeab34351ad6bc6296f3fca29a53a455b0

  • SHA256

    cf501070de78f1e4494bfc6c946f69cc2e3d0026e0dc7396208de608c8d41a21

  • SHA512

    39588bebd7c0f3c4d8214f3735deb593c3fba61c34c9cc395c0f6eef722e52cf03d58d9957e0854e46cc94ba3a3b885ff94e7ec7bc2e4a987e0a7578f0091776

  • SSDEEP

    3072:MzdvkCtHistjfPmRTAtILugpx3KmxoY5VrFfVgKtcQQiQljMjDfgxW:MztkCRQ9ugX3hl5/KLFAjcxW

Malware Config

Targets

    • Target

      image11.jpeg

    • Size

      151KB

    • MD5

      af53531e71b9acd7b4fa190a5113654b

    • SHA1

      556224eeab34351ad6bc6296f3fca29a53a455b0

    • SHA256

      cf501070de78f1e4494bfc6c946f69cc2e3d0026e0dc7396208de608c8d41a21

    • SHA512

      39588bebd7c0f3c4d8214f3735deb593c3fba61c34c9cc395c0f6eef722e52cf03d58d9957e0854e46cc94ba3a3b885ff94e7ec7bc2e4a987e0a7578f0091776

    • SSDEEP

      3072:MzdvkCtHistjfPmRTAtILugpx3KmxoY5VrFfVgKtcQQiQljMjDfgxW:MztkCRQ9ugX3hl5/KLFAjcxW

    • Contacts a large (533) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v16

Tasks