9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4 | Triage

Sharing

General

Target

9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4.lnk
Size

30KB
Sample

240609-lrvs4ahf55
MD5

3deb98c1970c8ed0d95086d79e579231
SHA1

bc8b9ae3e0e278c69d100d30333dc380fc7fe57a
SHA256

9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4
SHA512

e25073a88ac942f2aee7f57de6bd51b3b0dbf9caa0c5b569f603315cae5de2ce9308fa974f44b8a24b5cc661f8f152cdfc5ee985f7e388319d2ec4059cc28630
SSDEEP

24:8l/BHYVKVWuMs4ds+/CWLC7SfW8g/kwCYmaHKPeFI:815aTDds7S7gzTmE

Score

10^/10

execution

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://198.23.201.89/warm/wow123.hta

Targets

- Target
  
  9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4.lnk
- Size
  
  30KB
- MD5
  
  3deb98c1970c8ed0d95086d79e579231
- SHA1
  
  bc8b9ae3e0e278c69d100d30333dc380fc7fe57a
- SHA256
  
  9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4
- SHA512
  
  e25073a88ac942f2aee7f57de6bd51b3b0dbf9caa0c5b569f603315cae5de2ce9308fa974f44b8a24b5cc661f8f152cdfc5ee985f7e388319d2ec4059cc28630
- SSDEEP
  
  24:8l/BHYVKVWuMs4ds+/CWLC7SfW8g/kwCYmaHKPeFI:815aTDds7S7gzTmE
Score

10^/10

execution
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2