General

  • Target

    DamnedSetup.7z

  • Size

    96.9MB

  • Sample

    250704-plergahn5w

  • MD5

    a6f8781600bbca5eef67ae4b414eae48

  • SHA1

    cf4e18319cada725f52aef0e18a5aaf2550c60c2

  • SHA256

    b116537406caed99bdee0ddfc1d8487df54a8f84dd4bad0fb67c9c02d783c0a2

  • SHA512

    96a5680a05bd2fd1e4302e2767d4335047d06c23e98b8e990f3de2460001799dc2c3a9c81c37fa16194a157b9189dbebdd3e624e5667a9581c45cd7b972db447

  • SSDEEP

    1572864:v5Pk29eFluJuNodQVmM63Kp0uPaJx4LNcQHxUtSWeTcxwjPatPIUeMCTO16Miz:v5IbommM6apbEGJcYvQlUXz

Malware Config

Targets

    • Target

      DamnedSetup.msi

    • Size

      97.1MB

    • MD5

      a3b2ccc47d3960cda3df9c46c5c1bb12

    • SHA1

      9e45576fcc404ada8f864e2683ecd0559dd8c181

    • SHA256

      fbe050327d4e11ab9546a1312d1d0b5e86b53a0c41eed718087cbaf7a685a3f5

    • SHA512

      5c3c396c945501ffabf3396bd2da0fc3d87a7de5718f5cc0ccdf9b571b410cd2d8a0fea68d26f7c77f2a8d5b8adf747f95850e3494522493e40cb981d90dc007

    • SSDEEP

      1572864:QWmehNW8JhN3bcp+ZkKfSiNWQuOl87KZLQ7m+9MdE9zXIf3czD4NzRo:QWKob3ZkKaio+C2ZceyLT

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Drops startup file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to get system information.

MITRE ATT&CK Enterprise v16

Tasks