General

  • Target

    Update -520240216.zip

  • Size

    2.5MB

  • Sample

    240216-t2dlkadg35

  • MD5

    88960ca7e84e00e17f38bdc9e7eb96c0

  • SHA1

    cb85495ac0e656a8f92e329f4b5d38ad7f538f24

  • SHA256

    dc3fac83706617f5c904a06080ac2b57c22a231aadad0b106de927e0c00dc50b

  • SHA512

    4d6f220a831f2de1aecda4c681ef0379a0b068ac447acf0c8abb4a535b6652d8b7d62ffdf3cfad4c79f254aa2bb30eab59d7f24ac1820c9ebe9353bb2320c997

  • SSDEEP

    49152:1O2q8AxbSxSF30Be5KW8wPmO2q8AkMzOjfCdk+8u59AbZO2q8AkMT:wX8AVlFkg4WfLX8A22dk+8u59DX8A3

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://grantallardserver.com/data.php?9086

exe.dropper

https://grantallardserver.com/data.php?9086

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://grantallardserver.com/data.php?14979

exe.dropper

https://grantallardserver.com/data.php?14979

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://grantallardserver.com/data.php?14648

exe.dropper

https://grantallardserver.com/data.php?14648

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://grantallardserver.com/data.php?13746

exe.dropper

https://grantallardserver.com/data.php?13746

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://grantallardserver.com/data.php?6577

exe.dropper

https://grantallardserver.com/data.php?6577

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://grantallardserver.com/data.php?6001

exe.dropper

https://grantallardserver.com/data.php?6001

Targets

    • Target

      Update -520240216.zip

    • Size

      2.5MB

    • MD5

      88960ca7e84e00e17f38bdc9e7eb96c0

    • SHA1

      cb85495ac0e656a8f92e329f4b5d38ad7f538f24

    • SHA256

      dc3fac83706617f5c904a06080ac2b57c22a231aadad0b106de927e0c00dc50b

    • SHA512

      4d6f220a831f2de1aecda4c681ef0379a0b068ac447acf0c8abb4a535b6652d8b7d62ffdf3cfad4c79f254aa2bb30eab59d7f24ac1820c9ebe9353bb2320c997

    • SSDEEP

      49152:1O2q8AxbSxSF30Be5KW8wPmO2q8AkMzOjfCdk+8u59AbZO2q8AkMT:wX8AVlFkg4WfLX8A22dk+8u59DX8A3

    Score
    1/10
    • Target

      Install/Update_browser_121.0.6163.js

    • Size

      1.3MB

    • MD5

      7ecc973a8ab0e0df11d0103fc763aec2

    • SHA1

      d6ea12f010e3f2b229f616bff27f6f590b9922f3

    • SHA256

      ef3240f277751f4149e702336035632b7cb6b1e7f8ccd2ad50c9c85dc3a14891

    • SHA512

      84fef056c1f03a10a21f561e30be5a7f3a24485d75c27cfde6a8065bbc3d0e22559e7f0d9a13c53702506183efc3a9ee95183fbdf7fd0f0aa3c1b0cbf44b6552

    • SSDEEP

      12288:sqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Ok:PkdBpQFVkdBpQFVkdBpQFk

    Score
    10/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      Install/Update_browser_121.0.6164.js

    • Size

      1.3MB

    • MD5

      06ee8302ec320908c9395a5ca17756a9

    • SHA1

      65378085bbb933de3c19d194fd23a78262549546

    • SHA256

      7668e03a8035301f2597d4e4d2fd2660139f1432da002e397b1182cd7d911630

    • SHA512

      53536444e6c6246ac092cb15497f17ab12f73ca13f1c210029b361f57267d626dfc5f0659c19c92e32315b996d9a7e445cd2b3d7b70faaae2c43072631f4c9f5

    • SSDEEP

      12288:yqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Ok:VkdBpQFVkdBpQFVkdBpQFk

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      Install/Update_browser_121.0.6165.js

    • Size

      1.3MB

    • MD5

      f81058fb98198fb56f2b846d3d64f61a

    • SHA1

      6fc92a83c7d2be9994c5aaf7b68fe62fc660c548

    • SHA256

      9bc8f97bad4cf4607037be15990d4d8396873487c1e11101ebd95123fdbf631a

    • SHA512

      1d5f1cf04a9bcab96576711c06fa8bed0523dea1aab867649a278ae9ddf813a585aea5c8e903f44554707d2eba842e151bf677bef41ef10c568f49440923e57a

    • SSDEEP

      12288:Bqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Ok:ckdBpQFVkdBpQFVkdBpQFk

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      Install/Update_browser_121.0.6166.js

    • Size

      1.3MB

    • MD5

      4877fc7cdee26e86dff3a3964ddbd156

    • SHA1

      58aa4af372b60958a608006e69f356c17273fa52

    • SHA256

      69593610bb4221e42aef8b4f84c42f8b7056778b8e8b9d527d0c1408624653d8

    • SHA512

      131b03d03efa2b10c8cd4b48685c9623fcb05962402be54b180c317651401bf18261256fa74436ed6444bac740b528cb3b3ec44fa39a1663d62314bda42f6538

    • SSDEEP

      12288:pqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Ok:0kdBpQFVkdBpQFVkdBpQFk

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      Install/Update_browser_121.0.6167.js

    • Size

      1.3MB

    • MD5

      14a597959dc3abb0a7f9f76146cf2607

    • SHA1

      c8733f6d5cdab2f5bfc1a9d06bb5a06eee8b5f0b

    • SHA256

      b8bd0ecac53cda84ef8be72d4a904a7ecc4cf841706400cffe8b599f2b4a6672

    • SHA512

      3e21a39ba2efcac7d58c5edb890211f69b483cd6202ddee69938a43f88f9358361df836590fac678053245b7377a7abcfd0df8b06c8340a7e824340fbca126d5

    • SSDEEP

      12288:8qkdj8gY4HQJ2Oyqkdj8gY4HQJ2Oyqkdj8gY4HQJ2Ok:fkdBpQFVkdBpQFVkdBpQFk

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      Update_browser_121.0.616.js

    • Size

      867KB

    • MD5

      d7afb0b85ae4661eafd7b86759f5f49e

    • SHA1

      403214974457770eb6523a763f2f681da66b6e99

    • SHA256

      4ba8cb6306747ba7419507aa01ec895e38ecd7e291746546d7609e668955c69f

    • SHA512

      eb9fdac18c862a5ebcfe47999d2f9d003873d9e730320698e007b41152ba2aab84b27dd2640830c016cdb8aaa09dc34a86e107ea1fe8e0943c7c30572e08bbe7

    • SSDEEP

      6144:8+IrEhFgMczj0aw0810VLuqjHFPm4HQQuZ2Ozu+IrEhFgMczj0aw0810VLuqjHFx:8qkdj8gY4HQJ2Oyqkdj8gY4HQJ2Ok

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks