General

  • Target

    5.hta

  • Size

    70KB

  • Sample

    241101-yrywzasqc1

  • MD5

    4b4622857d5a8049c8eabc65cbbf9759

  • SHA1

    3c0b1087394f1584a53ae19a60eeee26adf5323a

  • SHA256

    bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234

  • SHA512

    bd4e13fc189cff886ac5097814fb35145d897c8f3626df93ba1413fdb38117d3df48152fa099c3bfb4852760425bb97f07aa6020e61331580c7780604285cf9e

  • SSDEEP

    1536:qzp24Z02CaLYQZ3h+3vsA7gI8GLRMsQMIF9AbR0F:ErZFJYYx+fsAD8qqsQMIFKC

Malware Config

Targets

    • Target

      5.hta

    • Size

      70KB

    • MD5

      4b4622857d5a8049c8eabc65cbbf9759

    • SHA1

      3c0b1087394f1584a53ae19a60eeee26adf5323a

    • SHA256

      bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234

    • SHA512

      bd4e13fc189cff886ac5097814fb35145d897c8f3626df93ba1413fdb38117d3df48152fa099c3bfb4852760425bb97f07aa6020e61331580c7780604285cf9e

    • SSDEEP

      1536:qzp24Z02CaLYQZ3h+3vsA7gI8GLRMsQMIF9AbR0F:ErZFJYYx+fsAD8qqsQMIFKC

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Looks for VMWare Tools registry key

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks