General
-
Target
Invoice#1136309464.iso
-
Size
898KB
-
Sample
240605-n3dp3afe99
-
MD5
87d66ac004a13b5e303e8789bd137ca9
-
SHA1
1ee82232a77d898fc54ab7b34b37c88f7a8e1f6a
-
SHA256
a1ce6b762cb741d0da79d433721258c01cdd1794b00fef95d78e324c07202df2
-
SHA512
8cbb6361ef73dbce740ad70f589759654c10d1e1fb65d57fd8c494cb37787c416196fb07c7139badbd9976a0717c2a867e90470e9fe6fc55c414599d892b3ddc
-
SSDEEP
384:8sTu8Qyg9R6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cD:8s6+4JElDTo
Static task
static1
Behavioral task
behavioral1
Sample
Invoice#1136309464.wsf
Resource
win7-20240221-en
Malware Config
Extracted
http://162.244.210.92:333/kok.jpg
Extracted
https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip
Extracted
https://nodejs.org/download/release/latest-v0.12.x/node.exe
Extracted
asyncrat
AWS | 3Losh
Karem
kareemovic11.duckdns.org:6606
kareemovic11.duckdns.org:7707
kareemovic11.duckdns.org:8808
AsyncMutex_kinsdlmsjnsidhuybf
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Invoice#1136309464.wsf
-
Size
107KB
-
MD5
ab87b1030210083dfb5b1e4f11647846
-
SHA1
c53b4eaece77ca95b11b0facb82fc81af7e6735b
-
SHA256
5569aaf9f9d3e53647419506c0cb256ac27d7538d2544a7031c2d7d31df0cb58
-
SHA512
2980941237f69d4ebf380af918144f7a9acef04d7ca195f2e1531e1de6ea2ded17ce0115fd66db5fc7d526397634d22ec80ee33d987f25ca369de0558d672735
-
SSDEEP
384:qR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cR6cR6cR6N:14JElDTR
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
StormKitty payload
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3