General

  • Target

    0d6049a23bc24a385997c0514ffc22a9c0c9ba681d1cac2f6cb5013bafeefe4f.lnk

  • Size

    3KB

  • Sample

    241114-xkrnmssbjp

  • MD5

    001c1231f099ae2188df58798c2c32cf

  • SHA1

    6e8394a04aa35551437d91910c787bf2165c175b

  • SHA256

    0d6049a23bc24a385997c0514ffc22a9c0c9ba681d1cac2f6cb5013bafeefe4f

  • SHA512

    b46b0ed51706e68a7b2e1d3609caaa2bc45676cb876c9ca72c51d9e34d2e5821dba256378950b3dc678d44c0cbfe14a6f599c66fb6843a34c76f7e258959e2c9

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta

Extracted

Language
hta
Source
URLs
hta.dropper

https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta

Targets

    • Target

      0d6049a23bc24a385997c0514ffc22a9c0c9ba681d1cac2f6cb5013bafeefe4f.lnk

    • Size

      3KB

    • MD5

      001c1231f099ae2188df58798c2c32cf

    • SHA1

      6e8394a04aa35551437d91910c787bf2165c175b

    • SHA256

      0d6049a23bc24a385997c0514ffc22a9c0c9ba681d1cac2f6cb5013bafeefe4f

    • SHA512

      b46b0ed51706e68a7b2e1d3609caaa2bc45676cb876c9ca72c51d9e34d2e5821dba256378950b3dc678d44c0cbfe14a6f599c66fb6843a34c76f7e258959e2c9

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks