204b7ddb7313918dc965ad5335d350ec2457843a66141011ebec50b8ea0e05af | Triage

Sharing

General

Target

Doc.zip
Size

744B
Sample

240522-f1lc5add2z
MD5

34de20fe156557d6d6d0a371f70ec5d5
SHA1

820a83383b023d71640c159f146bf14bee096d98
SHA256

204b7ddb7313918dc965ad5335d350ec2457843a66141011ebec50b8ea0e05af
SHA512

8d0df03876aa820498e2b3664ea4c673d621051b43fcf6bfee3f5e66beedc61e39734a1851013d475a4a902855765e7cfa2cb58d862815af5f518eae8e829633

Score

10^/10

execution

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://foundationforwomenshealth.com/rooming.hta

Targets

- Target
  
  Doc.lnk
- Size
  
  1KB
- MD5
  
  60f1320faf25bc20101c4312f82a72f8
- SHA1
  
  a37a8f932db503eed34cbe9aa1db40f63b36fee1
- SHA256
  
  bb26c65d29da78c698c19344058832b21593d27f4d89b5118345bb76614a564a
- SHA512
  
  96652e9e0a96545449a260c19d920eb3f1debc879e76f5a594848a28ef165b733ca61fcc75636781289e30cc7e87aae11028ff159a1bdc93a274dbed99f03d07
Score

10^/10

execution
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2