ed6a6e1bfacaa0d18f44616342463cc6702a80d24ea1b7750f0b4305dade2673

Sharing

Copy URL

Twitter E-mail

General

Target

ed6a6e1bfacaa0d18f44616342463cc6702a80d24ea1b7750f0b4305dade2673.rar
Size

1.6MB
Sample

241119-nj43xazpgn
MD5

4a2db38af38cd2b3bb1836643cd5b731
SHA1

fa0c12a6d7b73d137bcd8c31a90623a521713b52
SHA256

ed6a6e1bfacaa0d18f44616342463cc6702a80d24ea1b7750f0b4305dade2673
SHA512

28669ab434d2168ded180f4adcade67e51f76a84fd14895bc467483e246937a15b9652ed17c855aa61e98007c5af9232a95065e0f5913dd4f5a7a073713824e0
SSDEEP

49152:yJJXEqpYlKqH8imigH9uM5newJYV962Po:CYl/c94M5nemY22Po

Score

8^/10

Malware Config

Targets

- Target
  
  APT28/1-IA/T1566-phishing/T1566.001 Phishing SpearPhishing Attachment/payload.docx
- Size
  
  11KB
- MD5
  
  22af574bd447160a632f53c8ac7c2aa0
- SHA1
  
  122cd3887ba36c401644b88acdb36adb7d1cdb88
- SHA256
  
  cc003cb94fb726aed7225245c2f64ee780600814dfab28dd2e60959dcf1e5b81
- SHA512
  
  5d3f57c8407d6728406a22c42dcb7e897582efc3bdb58949106362d0017b61e9986cd60fd5a1ef4a98a3e29d41118f27b10ec5fdb069d640aa45375fc0cead05
- SSDEEP
  
  192:CtnkO1tqSCCNxtpgoZ22NN+2g64rRUZgKbYLbgfaN5HqA2T2:akWtqSdNxt/ZtNNrgvregKELqwHqA2T2
Score

4^/10

discovery
behavioral1 behavioral2
- Target
  
  APT28/2-Execution/T1059.001-Powershell/payload.ps1
- Size
  
  404KB
- MD5
  
  bd4eb7a629dc716c4884ba77b338b00f
- SHA1
  
  db7c58b069a69cccf6c767abd0564688272d5a8f
- SHA256
  
  2f694f5b72b4da3f9c6c674003ed36f5591a997ad5bde817d0fdc3f1c4792956
- SHA512
  
  b4789c93c9e5433bd8d37cc75d42a1cf2bbf27f400684d0e8a7d5b49ebed400007aff575ce7252aa7d1b5a27d52f5b9a6f98f3fa0f01e3f23ab8137f030f9036
- SSDEEP
  
  12288:80C4sZYvWuykwHT15ChBrIOxh8VrxpD5d:3vW1kKr
Score

3^/10

execution
behavioral3 behavioral4
- Target
  
  APT28/2-Execution/T1059.003-cmd/test.bat
- Size
  
  159B
- MD5
  
  30e40a152740269e8f6fc39581e52c20
- SHA1
  
  f692eae55d02b67b698ad6aeedcff9a4f1af715f
- SHA256
  
  5507198de428d34500b92e848437a35bc83a7200feebd740978a57ca68f2d773
- SHA512
  
  ad2e198c8a321d093403be84eb3d842729082f6d0aa6e845304197fa690fd6de676801c76e2ae8e9b5347412f4b92a037ffb6cba8cc41d1996715e80caa21157
Score

8^/10

dropper
- Download via BitsAdmin
  dropper
behavioral5 behavioral6
- Target
  
  APT28/2-Execution/T1059.005-VB/payload.vbs
- Size
  
  2KB
- MD5
  
  a60f3a96bfa741a606f493182e2f146a
- SHA1
  
  aec8630469198f7af326a372a788332d2467d628
- SHA256
  
  e8ad660d43a15987b493debd58a0107f0fa62857d9930806873028fb0475df0b
- SHA512
  
  b0774a965310b69b86d9cd54666a2cc6f0c081d28404b2632c871900c681c519a4b6215bf87159b5afbc1b626efc8f77d52aae43b7b43177849b17f68444cd8a
Score

8^/10
- Blocklisted process makes network request
behavioral7 behavioral8
- Target
  
  APT28/2-Execution/T1204.002 Malicious File/payload.docm
- Size
  
  11KB
- MD5
  
  9c8758d624549e4ab18c6cbafb38a9b5
- SHA1
  
  941f18899a700dc42d496a0dc44c03259db1b86b
- SHA256
  
  47c25b3184e4bce05cdec5cab516a2c52d2e957828ce0064c847b393a987b192
- SHA512
  
  0afb0874d030f8b16237d01f9289f679cc73fefbae53dd8e992871703d573863636f981ad122bdc9d126dc004a6cb281d6435394a724be97b3f6296b1e91a0e2
- SSDEEP
  
  192:e3mCCNxtpgoZ22NNs+VywLbQXv4rRUZgKbYLbgfaN5HBKBexg0r:e3mdNxt/ZtNNs+YwvQgregKELqwHEexr
Score

4^/10

discovery
behavioral10 behavioral9
- Target
  
  APT28/2-Execution/lnk/EmbedExeLnk.exe
- Size
  
  321KB
- MD5
  
  63a9a75ce5676e02f126ec56ea428734
- SHA1
  
  0f181e71d401a2f2122929b66bed0c62a3b4eab8
- SHA256
  
  8d0d66e284049df3d3683a02764d670526d982db268f2ef9744463ef07e0c587
- SHA512
  
  0245b4f7b0772b2a19a66a6a7c9d154bc88d98b7a6d028fc9c8e3a9a170fc69380062d7830243a0b59b15e394163d4cc0dc6d338384d9f7100cad65ad25b89f6
- SSDEEP
  
  6144:1jLiS+AmBzyvH6BYlJpC0uKoc+sCoWWmSoHWXi/fD4Xa0dTvTIuW:NmZoP9DA0B43dES8XPGuW
Score

1^/10
behavioral11 behavioral12
- Target
  
  APT28/2-Execution/lnk/Report.lnk
- Size
  
  204KB
- MD5
  
  ef4579d6e1e665056bc593ecbad1e473
- SHA1
  
  de45b08deb1cccf50215a1318d83adf39d67f257
- SHA256
  
  37d7f927abcd4d1bf617e8279b8b8d7c8b14abec089e856faa6ffe36937c4e16
- SHA512
  
  3ad5ef1e96a97009726322384a497ffedd5c48f6fc64ce7349adeabc99156f54df510f9cb5a5f49bc0d8b6a32a994756ea9b02f6dbff78f6ed2c7cc057d9d230
- SSDEEP
  
  3072:J6LpD98Rr6vKDHJX0DPlHoPUBXgWXGMpgE6oLV2ISgA+4pOyB3yF3vxskk1GovNB:w4HhglHoyX8E6+V4gp9yBi3vxsXRb
Score

8^/10

defense_evasion execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral13 behavioral14
- Target
  
  APT28/2-Execution/lnk/gen-embed-zip.exe
- Size
  
  122KB
- MD5
  
  69d4fd4accdf9a996da5ca9a3d1a4e7b
- SHA1
  
  3679258fbf25402bd585af5231425e2f26ddf91c
- SHA256
  
  6dfdc744553d263d5ed5f5404f98774532a2a2b6b7b98141d39c9996ea06f0bb
- SHA512
  
  cd317c313b52fc057951171fb41445ffaefd82e5c1a1902e8083f3ab764dd3916647984d11212331d03cdcfd944b3b94ffbda26877b1c519f18099558cd20be4
- SSDEEP
  
  3072:QD738JQxbOF2cCdVKA8YaPAj9PbgBLpnYhNoXBuYrF:Qf8RF2fSY3vSrF
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  APT28/2-Execution/lnk/update.exe
- Size
  
  321KB
- MD5
  
  536998185193b231e62d404c51121b8c
- SHA1
  
  0b86221d0237f06081e286746b1b5bb836ad4004
- SHA256
  
  d69fa80c8e54e8331e63c2d130a5d7b475f8c378971d9571db1d368662f7d6fd
- SHA512
  
  789f9bbac831b54aeb4c2dfb61d35e21f9b031897bc1d4daa37fad48ddd849223a6a1432a9428953b1b2541960c2b9367709ed17e22d2852ae6dc96f82a9bd09
- SSDEEP
  
  6144:9NwN2y2kRu/ZBxY9x+Day0DazCH8Jh+qxOLb8c1NaOGaYuzhV/O:9ZynSvYy2yyqwEkAEb8cnajW
Score

1^/10
behavioral17 behavioral18
- Target
  
  update.exe
- Size
  
  321KB
- MD5
  
  536998185193b231e62d404c51121b8c
- SHA1
  
  0b86221d0237f06081e286746b1b5bb836ad4004
- SHA256
  
  d69fa80c8e54e8331e63c2d130a5d7b475f8c378971d9571db1d368662f7d6fd
- SHA512
  
  789f9bbac831b54aeb4c2dfb61d35e21f9b031897bc1d4daa37fad48ddd849223a6a1432a9428953b1b2541960c2b9367709ed17e22d2852ae6dc96f82a9bd09
- SSDEEP
  
  6144:9NwN2y2kRu/ZBxY9x+Day0DazCH8Jh+qxOLb8c1NaOGaYuzhV/O:9ZynSvYy2yyqwEkAEb8cnajW
Score

1^/10
behavioral19 behavioral20
- Target
  
  APT28/3-Persistence/SharPersist.exe
- Size
  
  231KB
- MD5
  
  e06b24113cab27ff5a1173fa3f9e1615
- SHA1
  
  0895086036ee0b521156ffc561260bcca9716507
- SHA256
  
  e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8
- SHA512
  
  04fda4f4231fd72d715d3172cf90979202e3f10c760f0314a9ebeb598a474b609ddeb65656bc43daeef8b42c954bd5aa3d35dc21949a21e7d4d1e2dbdd0bcd8d
- SSDEEP
  
  6144:Dlfv+GK2xqnVsnBTBZX9RHQzev492Vy8:DlH+4xqnqb9QzG
Score

1^/10
behavioral21 behavioral22
- Target
  
  APT28/3-Persistence/T1137 Office Application Startup/Office Test T1137.002/officetest.dll
- Size
  
  57KB
- MD5
  
  04b96c7b24a889629ed39ebba7c68f6e
- SHA1
  
  7753170bc339e4d44025b474ff6b6db574a38fc8
- SHA256
  
  8498049dabbdfbc4aa07c199d53c771874ba875bba6ab67b148da349d104c61c
- SHA512
  
  62364b2e49a6d46756e35ad365b46af4bd48e75382d262e1e3943bdc6246fe2d49c9bce90cab1742c981753f1dc672bf5e1caf21cec5858552e22c0f41aab867
- SSDEEP
  
  384:4Xj9nEJgTuZ2ebqNZ/OUIVk5VAQFb5HxdoK3KW+Fwa348QfBXLis0WkJt+GPP/N:4l09bmQsTvKWkwaoVB2hWkJwGP
Score

1^/10
behavioral23 behavioral24
- Target
  
  APT28/3-Persistence/T1137 Office Application Startup/Office Test T1137.002/payload32.dll
- Size
  
  316KB
- MD5
  
  21094565a757b9b979fb62c5d2a311b4
- SHA1
  
  78fc7af9982059092dd473c56d09f40de23be0db
- SHA256
  
  c50bdb7b4732bef5aa7dc8b392bf95e69cd01e81e6e4a0d4b6d90c541a2929c5
- SHA512
  
  31ef9a8c0c4ec6bf982328870c9ca0efc0e33cf44d40a5b34c980bf6fc6b14e98d8563cbb77f1a726e905a66ffa6d11c883be892434430d46722ec2193b2e8df
- SSDEEP
  
  6144:ImLWX2iubZRAQxjynfRrHWc9M7kfz3vgCMa08GYsCZwQ:IVXOFbyZW6vgCMZ8GiZwQ
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  APT28/3-Persistence/T1137 Office Application Startup/Office Test T1137.002/payload64.dll
- Size
  
  320KB
- MD5
  
  88685ceb4e3b78169a3c8f8b18d98f2a
- SHA1
  
  d032130eabd32717f279cc665424a8a01f391254
- SHA256
  
  82bfcdb70be97eabfe30ffcbe53b0b3cbafb352698f4a7cd590223f32aa10aec
- SHA512
  
  b8ea0da878172b533aa90299cc148c08168bfb99aa745fb4e4a640e868475c5eb5e8dcf7ee292ab4443f878e45fbe56bf1782f2878f145cd29f77c2b77e56570
- SSDEEP
  
  6144:SH/kuGbBPEVUYnTmm+NEGmvMkDEk140jE+8sS7JOx677aJnOsMFCF:SMNq/hGBkQk1QbuJnO3
Score

1^/10
behavioral27 behavioral28
- Target
  
  APT28/4-Privilege Escalation/T1134 Access Token MAnipulation/Token improsonation theft/BadPotato.exe
- Size
  
  60KB
- MD5
  
  95a30fff5abb6989deac2e4ee5610c65
- SHA1
  
  db2454bfcad98ebfc9999f503064843940083a45
- SHA256
  
  d1247eed7631475e2f38c4446d679d35de0d9d060dc8f7a30c59263b189ecdcf
- SHA512
  
  54c61dcce0383257e06e1b1da50b70c5a3495dd6352ddc0fca3bd4c3d3d2f11b1afd0269ba5997edab4c4d9f62984568f6207337f15dddee665397031e1bdd2c
- SSDEEP
  
  1536:kzVZco9DekPGARdOXVT+5xSjbu7RNzwn:kRuoRGa5xSjbu7RN0n
Score

1^/10
behavioral29 behavioral30
- Target
  
  APT28/4-Privilege Escalation/T1134 Access Token MAnipulation/Token improsonation theft/NSudoLG.exe
- Size
  
  156KB
- MD5
  
  7aacfd85b8dff0aa6867bede82cfd147
- SHA1
  
  e783f6d4b754ea8424699203b8831bdc9cbdd4e6
- SHA256
  
  871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8
- SHA512
  
  59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0
- SSDEEP
  
  3072:uwEUNZLRS8gLI7qwnKE6Cv/89RvD7c5Q9a88QuA6337p:/NBRS8AzdC3Qvr9aDQuA6b
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Download via BitsAdmin

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Indicator Removal: File Deletion

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32