General

  • Target

    Document.zip

  • Size

    102KB

  • Sample

    240426-hn8c8sbc26

  • MD5

    6dfd06fe70cb840c97edb292ac4272ca

  • SHA1

    2502cd18ad7db0536b3950bdbd66bf6cae488811

  • SHA256

    d212718eb644c7803f73dc13b55536e84263a3f959219bd067dc4092a2095b15

  • SHA512

    aaed01ee6d724d099e3789c9a04b5e5bf8cae1870e3b39c06ee5b99d8870cf8b673083c64715df92c5a1c51b027b78364bc5759f4f252797c405d31a9f067959

  • SSDEEP

    3072:6J1mfyam5pu+iKHGdeuHOJVTJd67vuehhl:6JiBU5imueuuJ7dqv9hhl

Malware Config

Targets

    • Target

      Document.doc.scr

    • Size

      194KB

    • MD5

      6fd558cf3add096970e15d1e62ca1957

    • SHA1

      78e95fabcfe8ef7bb6419f8456deccc3d5fa4c23

    • SHA256

      41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898

    • SHA512

      fac7efe9b76f9b6a917f8751f5be64ad8e067e5404fe05f3e9d7781ea3661a06c0baaac676a6023eb4a0b7f01bc2bb2d64d572f85aec8ad8de35cc7f106e1fdc

    • SSDEEP

      3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK

    • Renames multiple (355) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Collection

Data from Local System

1
T1005

Impact

Defacement

1
T1491

Tasks