Overview

overview

10

Static

static

1

Order/Order.lnk

windows7-x64

10

Order/Order.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96f778ab06125c86584d5a815548e7c8d8a94d60.zip.tar.gz

  • Size

    1KB

  • Sample

    240326-mhg2bagb36

  • MD5

    1e59d6e4282759f61dfceba048d24da6

  • SHA1

    e3604399a075d3157e115156c212d03b921c2740

  • SHA256

    aab1adb71b6c05fe837b6b59a6c920635b54dc003e4bea7b9b22b59d68892576

  • SHA512

    f542f0423fca1c4a390bd5ce9fc9361d987bafb767f979cb22dc78e8f8485cd700a7c17ed88f82bef3761a2c6bf7d90a677584bf6394d2d4f1edf08125a4aa1c

Score
10/10
persistence

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://busyestinglsv.site/cmeo/ahbsfrbahogrfoweybrzhfbshdlhabdfhbawvgfrweifrvboherjbvfwr/zxfhvgkhchbavsdfabvlgf1244rhgv5hvkghvkhvkh6vkgvh/clips.exe

Targets

    • Target

      Order/Order.lnk

    • Size

      2KB

    • MD5

      f88d5c71b79d93f336a5fbc20deeb9dd

    • SHA1

      1f77d2879725462577a73adbf83d07c60eb6a384

    • SHA256

      a4e51b364548e87948d0075a8adffcd901d2876950ce6f0a939413a0d450b752

    • SHA512

      e369ed33574528497c330c79630e49971b4398bc089f239648c270774a62086436a36503db5052d9df72a56a0a8113ac0c9c09e7d86b41ad999c15e1cfc404d2

    Score
    10/10
    persistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks