General

  • Target

    bots.mkv

  • Size

    3.7MB

  • Sample

    240817-hmxkcawbpr

  • MD5

    e060a072bfd42c7ac5bcb00834752b87

  • SHA1

    b595268c3a843f985ead80074fdaa90e06d2eb69

  • SHA256

    0be479a9f07daedfdb785efa9f3543d947b0f28412de94397c13abb91dd9f377

  • SHA512

    66475b55562d2cc2b7ba15ef4a28a8e106866ee5508ac0947d747d8d4dd700c3822e2f6eeab16b7c3e2f7bbcafdaede43dda5267b4812720e6d184b2d7af18c8

  • SSDEEP

    49152:8g1Zsb+kJ8itAy4GaLhRVAe69eXDwK0uKWrIdnchPnybwv8+T9p:84uQLx8TWrIdnchabwNT9p

Malware Config

Targets

    • Target

      bots.mkv

    • Size

      3.7MB

    • MD5

      e060a072bfd42c7ac5bcb00834752b87

    • SHA1

      b595268c3a843f985ead80074fdaa90e06d2eb69

    • SHA256

      0be479a9f07daedfdb785efa9f3543d947b0f28412de94397c13abb91dd9f377

    • SHA512

      66475b55562d2cc2b7ba15ef4a28a8e106866ee5508ac0947d747d8d4dd700c3822e2f6eeab16b7c3e2f7bbcafdaede43dda5267b4812720e6d184b2d7af18c8

    • SSDEEP

      49152:8g1Zsb+kJ8itAy4GaLhRVAe69eXDwK0uKWrIdnchPnybwv8+T9p:84uQLx8TWrIdnchabwNT9p

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Detected potential entity reuse from brand steam.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks