General

  • Target

    bestintercomthingswhichgivebestthingstogetmeback.hta

  • Size

    131KB

  • Sample

    241029-ptm3tatrdw

  • MD5

    6d739d6533520e553037e609fe0530d9

  • SHA1

    4fd1330dabaa0a32e7ea25ab462ea19acf14cb98

  • SHA256

    d1f9d23d0edf09bfafba1ecc9a34783a4bb3761f2eceab302bdb368a6e2ea144

  • SHA512

    b604ced91e154fa98cded0aeb124ef42a4bd2206cb4e0ed9d81b1fcd9f43031e24c53ac2ccb10598493ad8bbb4d0e3441d71b2cb114db06955a0024b69c4e2b8

  • SSDEEP

    96:4vCt7Q3lBAWVffN1klyKByKcwfz56KeqQ:4vCF2Vfcy2yUQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Targets

    • Target

      bestintercomthingswhichgivebestthingstogetmeback.hta

    • Size

      131KB

    • MD5

      6d739d6533520e553037e609fe0530d9

    • SHA1

      4fd1330dabaa0a32e7ea25ab462ea19acf14cb98

    • SHA256

      d1f9d23d0edf09bfafba1ecc9a34783a4bb3761f2eceab302bdb368a6e2ea144

    • SHA512

      b604ced91e154fa98cded0aeb124ef42a4bd2206cb4e0ed9d81b1fcd9f43031e24c53ac2ccb10598493ad8bbb4d0e3441d71b2cb114db06955a0024b69c4e2b8

    • SSDEEP

      96:4vCt7Q3lBAWVffN1klyKByKcwfz56KeqQ:4vCF2Vfcy2yUQ

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks