Overview

overview

10

Static

static

1

Offer Document 24.lnk

windows7-x64

3

Offer Document 24.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Offer Document 24.lnk

  • Size

    1KB

  • Sample

    240523-wyrp5abf53

  • MD5

    bf9569f5e56e6dcb1f4ae60fd2faea36

  • SHA1

    1085e4140bf323df085db50b8f79c3b02b4aab72

  • SHA256

    59f149ffc55554ce0aac7072bba999b5abb83b023486e017f407883f8a27e4e2

  • SHA512

    2a682c59a881c95d36d56d28328253f3c8cc6ac3d466c5eefa1223cb58a12de708414a5e6f59e07f919c9e122748deb76961c1e84ec4c3e19f68afdf4cc032d9

Score
10/10
execution

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://20.86.128.223/room/room4.hta

Targets

    • Target

      Offer Document 24.lnk

    • Size

      1KB

    • MD5

      bf9569f5e56e6dcb1f4ae60fd2faea36

    • SHA1

      1085e4140bf323df085db50b8f79c3b02b4aab72

    • SHA256

      59f149ffc55554ce0aac7072bba999b5abb83b023486e017f407883f8a27e4e2

    • SHA512

      2a682c59a881c95d36d56d28328253f3c8cc6ac3d466c5eefa1223cb58a12de708414a5e6f59e07f919c9e122748deb76961c1e84ec4c3e19f68afdf4cc032d9

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks