Armageddon is more than a Grammy-nominated album

June 26, 2024, 8:27 a.m.

Description

This report details a Russia-linked threat actor targeting Ukraine, employing various obfuscation techniques. The malicious activity involves dropping a compressed file disguised as a RAR archive, which fetches a remote image likely for tracking execution. The payload employs mshta.exe to execute remote content and leverages LNK files with crafted filenames. The techniques suggest an effort to evade detection and hamper analysis.

Date

Published: June 26, 2024, 8:18 a.m.

Created: June 26, 2024, 8:18 a.m.

Modified: June 26, 2024, 8:27 a.m.

Indicators

ff6029cbbf66db06113a576533d2fdca734c4a44338625cbf58929c9ee87e26a

f79b723fa88f39d5df67f2517b088a12b490673fa07d6a2b35275f7dc573172e

ee237449f2ad354fbe15e9505a96f6682dd66ca8277e93c7424c751d6da201ff

eb49a27fb886dab6d90cb5f68e9c753ae408ee656aa942bebe7ac5b2fc68891a

eaec8cc4876f8e85f387cee5f1443ae48858f7b5b36be395ea0c139c1367d8de

eb0bf4fd7f6653c7083f3e691d566cecc0049e94308f54c8d64af34a54bc78a1

e21ac7085a3e38942016f3cb8db4d2f3ba0e7846c7ffb0cc7eb1d2bc0953d6d4

e18cb739dbb3ab86803db71bf93d407a8bbabfa836eabc85a3133dfc126eb94b

df7e86b3a3c577285b7d00671b93c759cf973a90f2cce0cbff1ace7247015c30

dbf1d945dd6869885a5effcda12e81a626079fb9bb66ede8bb58c3e5539465d2

d20ad28197210f72947f4f14e6a5dd6aafcbf4309d46e8a1bf7f18d107784b77

ce3f4bd2a8c548165ec2a0f41d0bbd1ad5e87a2aebc026e82f15c956ba51ed3d

cddaa6af9fa15fb2e6a8bfffab0fade552331cedac28a179ee9f49dfef37aea1

cd05c4daf81a06e1941833734b20c1b2427e9cbf9b86c1c7fc6515f27932970b

c901f2188065c443575a84249ce012faa735657b79e6dd5dc6697358d59fb574

bd514e1622e557c80252bd000060e8221c651e485a43e795fce47ab60a1d8468

bccaa77cf271e8e2c4aaf9982154e8166445c05274d3f58a8352b5daf0ffa3c9

b0b962951434ff103d45db66096e04d468c757379081e6ef534da800ed6a6cef

a8e291d181c01f7e25e14910b60755d0d439ab1d8616ce0e122514b3fed3dc52

a459022936dbffe74089f1ed8160303f1fe909ff459842397d507c0b198a5ee1

a2376a67640be242bec5c9ffe46822abab2361f7210a8d9ad6333df45e67117f

9e774b37b930c3f0c79311f6de448bc5602e16edfef92f4ff09645f27217cdea

9de40cb245c783935d8a7c809262f91f6a511baed67d758b7c48de7b3505e7b0

8e5f93ffef422ac9f6f19b840509aba5ae88aa39d846c1e40f04b26c4d20cf79

908b8f5f73ab2dfc7bf3070868d219d1b45f8e2d1f560162dddfd6ce19ed7592

8d660b8e4b5ad82aeeee594545d400483662630d301e832ee35627695a746f95

8c8a3457007f6e2d1d75715d21b0423e9c6b90fd2e62f7b4398180017e3f768f

8ab7601d03c890a078ac9f8763c950b24b5908cb76559110a65dc1d2e4385097

89feb40e4a98e3592054dbd8c4d47a9edbeb308659cf4d1ef9e3deba6f38a698

84bd6f3182ab398d5363fd6b8a375641e08c57318225714a618ffb6b6b10aefb

841585615fc9cb62b0f8410f1a4df38e7d11cc4b48c54e75dcdc051e9308257e

7be88e131a6e180f32aab59734be70ac57d773c5b68bd7919dd32f6f6f9b3de1

7ab474672b5b9a86fd1b00ab6ec5d2164ecab9cf846ebccb65202ed68d65eaf1

78e1b171afbae8b994792bb33a0bf41f39d596def43a6b3e1ac28d7dd27bb8ca

7694a7f4764b9015fe00f68cd75d06f7dae77fd64c58c9bcb83fd8196cc17d4b

6b78350cfdff778ae68b47980deeb8841d0a8a2488eb3cb6ce500758df66544e

6d2f57de35671937d6134bf4d2fdbfe6310a6b184dceecdeaa7f4583eb0ab6f6

602b1284193f71ab87a9b8d656bfd858f113e2f1a9d85d8331740d2c852a075b

5cf828715c004f42eea066b4935511ecb42a4e150235faee482b06904af83cc7

511eb0f06e4c528be6627d537b118bf4932f5a90adc81a3e986beea90f14fe77

55a49f62bdd66c6d6a84f476aa0f64a9b27376164ae1875e273ce9bec2eb7f43

4ade1dc7f4558df1ccc96433e5b26872ab283fcd39e4a3f070480ea62d3e9f30

4a98d11230dc0ab117534f78a9d626b754c0c9d7957a8d343a8f0e7a332f68ce

4520da04e857ac097daa03500ed553ed49ec00e6fc0f349b977a11bbe1ec0924

451f0b06775ab715249635fc6930db45bfa4bd343f448b33a49f4941653a7315

4347d7b2d8d180978f4646ccc457be2de0d0c7db84896e1bcd250d2d834a37b1

40f3e18c474e02c71620c611e2e3827793d7f07d26cc49396be500baa37dc872

406a09578b07415880b035cb8afd688465ffd28a9c7c46680987295ce50d8840

3b5c1f5df0d1d76ee58cf859557f03df35692f2a57d10c111ebdec9f69ac4b34

3afc8955057eb0bae819ead1e7f534f6e5784bbd5b6aa3a08af72e187b157c5b

304e8e18068a34c6aed82d0ad744f94687c08842a51e525a87d22a65db2334e5

268061a244d56a5347ae66364f6a1cf6ab5654d19086fae6d5607b95d8fc793c

21623210a29df18c000dbf3fcc5bb4885e8a03915f47b152a93a07f66eb2e90f

1ec58003c6b7625935976bdfdf7d4a11228a57b32ce1eeece68a1ab48536bbc0

1915bb1784b164307af70a70e3264cfe3bc3c82c43e49da59c0c592d4d29af43

15ce500029cae11a5b07ed654faa371ef0bb0eb9add630a1e03c58606ea35eb9

1543723a1dcc8f5638cd43c5882f132b554c248b334473098fc49ae007e8ee4e

0c0534d036dcf5cc5152b2dcb03e837b5bf8c66481d283bd637373cd49b66f7f

062c25a86461f7f8d392e93bd97836773a889adbdbac9d2ce11e65860a4f2af2

00494102c3d9fd8ab40d8e7b3f8a1d4e30876257c18c45761922edf938970719

194.180.191.72

194.180.191.34

194.180.191.31

194.180.191.12

185.225.19.69

185.225.19.13

94.158.247.32

194.180.191.15

194.180.191.41

http://94.158.247.32/sb.15.04

http://94.158.247.32/pr/quickly.bmp

http://94.158.247.32/pr.11.04

http://94.158.247.32/odd/selected.bmp

http://94.158.247.32/mou/reign.bmp

http://94.158.247.32/odd.15.04

http://94.158.247.32/mou.15.04

http://94.158.247.32/moh.17.04

http://94.158.247.32/fes.17.04

http://194.180.191.72/c/haze.pdf

http://194.180.191.72/c.19.06

http://194.180.191.41/omr/deal.pdf

http://194.180.191.41/omr/bananas.pdf

http://194.180.191.41/omr.11.06

http://194.180.191.34/sukr.19.04

http://194.180.191.34/sukr/regard.tmp

http://194.180.191.34/siz/bandage.tmp

http://194.180.191.34/siz.19.04

http://194.180.191.34/prob.18.04

http://194.180.191.34/gps.19.04

http://194.180.191.34/pr.18.04

http://194.180.191.31/zaliz/regions.tmp

http://194.180.191.31/zaliz.23.04

http://194.180.191.31/odes/relief.tmp

http://194.180.191.31/odes.24.04

http://194.180.191.15/ods/predator.zip

http://194.180.191.15/ods.06.06

http://194.180.191.12/od/barren.7z

http://194.180.191.12/od.04.06

http://185.225.19.69/gm/decency.zip

http://185.225.19.69/gm.03.05

http://185.225.19.13/c/intention.pdf

http://185.225.19.13/c.18.06

Attack Patterns

UNC530

T1036.004

T1197

T1560.001

T1059.001

T1059.007

T1071.001

T1036.005

T1204.002

T1105

T1219

T1027

Additional Informations

Ukraine