General

  • Target

  • Size

    1023KB

  • Sample

    240617-3pqvsstark

  • MD5

    981931159e45242cc1c3dcbdb47846d7

  • SHA1

    875bd5c00a30df19216e7f08bc18d97490ed25a6

  • SHA256

    69461917822ca791194992d7b7d01e12afbf0eb86ae327b3fb86df01012e060e

  • SHA512

    ffad32e77bcd989a20e1226021280204ded3e4ba7987e02978859be966e454785a0c0e196397378ad47d57f251764aeade3836127fe94ef67800342591fc63ce

  • SSDEEP

    24576:A+nV9M1Yek6EYqNc4p9cAnlwDUctAaxu190ryaJqc5D9X32pVa:A+nsr1E66eAnEUc6CuEryaJqc5RWpVa

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://93.115.82.248/?0=1&1=1&2=9&3=i&4=7601&5=1&6=1111&7=dnkkegxvna

Targets

    • Target

    • Size

      1023KB

    • MD5

      981931159e45242cc1c3dcbdb47846d7

    • SHA1

      875bd5c00a30df19216e7f08bc18d97490ed25a6

    • SHA256

      69461917822ca791194992d7b7d01e12afbf0eb86ae327b3fb86df01012e060e

    • SHA512

      ffad32e77bcd989a20e1226021280204ded3e4ba7987e02978859be966e454785a0c0e196397378ad47d57f251764aeade3836127fe94ef67800342591fc63ce

    • SSDEEP

      24576:A+nV9M1Yek6EYqNc4p9cAnlwDUctAaxu190ryaJqc5D9X32pVa:A+nsr1E66eAnEUc6CuEryaJqc5RWpVa

    • Modifies WinLogon for persistence

    • UAC bypass

    • Blocklisted process makes network request

    • Sets file execution options in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks