General

  • Target

    https://cdn.discordapp.com/attachments/1235665828129804342/1272860754835673163/PO-SAI_FOOD_PVT_LTD_.zip?ex=66bc8374&is=66bb31f4&hm=103fbc9cc2f064b5879e39769452535cf80d61008efd2495a8a87207161e8c5e&

  • Sample

    240813-m7mcbszdnb

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.comedyskits.com.ng
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    TGXs]#J&_ReU

Targets

    • Target

      https://cdn.discordapp.com/attachments/1235665828129804342/1272860754835673163/PO-SAI_FOOD_PVT_LTD_.zip?ex=66bc8374&is=66bb31f4&hm=103fbc9cc2f064b5879e39769452535cf80d61008efd2495a8a87207161e8c5e&

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Browser Information Discovery

1
T1217

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Collection

Email Collection

1
T1114

Tasks