Overview

overview

8

Static

static

8

URLScan

urlscan

1

https://email.helmsm...

windows7_x64

1

https://email.helmsm...

windows10-2004_x64

1

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23-05-2022 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://email.helmsman-properties.com/e/984471/ail-paths-one-link-Fax-Outlook/8brbr/107207830/pahr.johansson%40axactor.se?h=TlbyXCa91JBzWVQfQ7l-AvGJFbw9nbkEgvA_HVemZos

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://email.helmsman-properties.com/e/984471/ail-paths-one-link-Fax-Outlook/8brbr/107207830/pahr.johansson%40axactor.se?h=TlbyXCa91JBzWVQfQ7l-AvGJFbw9nbkEgvA_HVemZos
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\msdt.exe
        -modal 393552 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFC5DE.tmp -ep NetworkDiagnosticsWeb
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:1876
  • C:\Windows\SysWOW64\sdiagnhost.exe
    C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
    1⤵
      PID:1656

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
      Filesize

      1KB

      MD5

      d69e0688754ca34b5cb349fe5f221157

      SHA1

      ab341a7d908731585f981f9faea787778c60dbee

      SHA256

      ce1a716d5582174251790c3e4f513b5759354cd2690f005bfac96390c30e24e8

      SHA512

      15ba6681c549bef5ae03c9eda8e022bbee47056e186d010d30e6ee4eb7134f64427ec02ada6df4b329bd3f844761cbc8ec6a2baa63f0aefd2ac00a7eb6061260

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      b9f21d8db36e88831e5352bb82c438b3

      SHA1

      4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

      SHA256

      998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

      SHA512

      d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
      Filesize

      404B

      MD5

      19a86e39fcb11b0248b34edd4c581d60

      SHA1

      398a62d9e6d33426d71cf56a74bbbf1c5287708f

      SHA256

      876c8e60c2ae1ff893c3c7fba1087134ae7f2a1803f2da4c5cba0f9feca2bb43

      SHA512

      0ad4c0d5f2add0304496d2d04512ff72536e7c58e2dc48f1aa9729d86b102e176dbfffcf789de4c7016361041edb48f40bdcb417158aaa1fac949c1931c9249a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9ecbae322ae3f8380f181a34d5454789

      SHA1

      42c51158af28bd6ddb8e8d854dcf70318c09eea6

      SHA256

      9d7d6ea8db0dc3ac1c04f23939cb23cae5f53350f16a4cee1bc97aecf11bafe8

      SHA512

      8bc51fddcddb91f303c3ea9bbc71237e2d030574fa05b9f25830d82888361ed546dfe86692d79c93b2e1b3e2bf4ee55d569b59c033eaa3a0b6839185257cfcce

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat
      Filesize

      22KB

      MD5

      7c73e471a4e6730d200237e9cb61f17a

      SHA1

      597cabaae704eb17f378f597cc2a2c3ba2b30ba1

      SHA256

      fc85399d3a6f785412e0e98f29256edbfc8b90662fc87d413f99b7e9842ff7e8

      SHA512

      e66e7e2c8957198ed0fbf36abcf1a7d6e9fa81e9fd4fc1fe9d177cb17c0c02ebfa09b78b045cea4e87400b8e0f0a83e7a78902486df447c6cec0ebd194ef5fbb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\NDFC5DE.tmp
      Filesize

      3KB

      MD5

      5761c4fb32cc8d1058d379c6f16c09c1

      SHA1

      49ee1513feeb4287e3e3100b77e8428e843eacc2

      SHA256

      a928fb26703cc444233e27065d8f6e462c9bc0062a95e0331981ffc214cd4603

      SHA512

      40b9caa5ed543ffe84779f36a7345ac70d32d39d97208b36bcc807322a18b882d9114957181ae682452a59470426e0d6c4cb227e42e0853154591feeab513932

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JF3NM9VN.txt
      Filesize

      608B

      MD5

      9440e0b11e9828c8116cedee0a99636a

      SHA1

      745873093981a65bb2509920bcfd98b34719c1eb

      SHA256

      d949025a3dd051aec8b527a580a1a3d7a68d4212a3f006a694c33997662903ee

      SHA512

      8f4986e370a4f807b07da68bdb2a3aa5915acd1fee8efde035ed5fc472109792f4fa7f48acff636ba00d50f99bd05b8db137aefd08b852cc27e011a88e46cb36

      Download Submit
    • C:\Windows\TEMP\SDIAG_a34dca3e-0804-439c-8bc0-eb7ee90c618f\NetworkDiagnosticsTroubleshoot.ps1
      Filesize

      23KB

      MD5

      1d192ce36953dbb7dc7ee0d04c57ad8d

      SHA1

      7008e759cb47bf74a4ea4cd911de158ef00ace84

      SHA256

      935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

      SHA512

      e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

      Download Submit
    • C:\Windows\TEMP\SDIAG_a34dca3e-0804-439c-8bc0-eb7ee90c618f\UtilityFunctions.ps1
      Filesize

      52KB

      MD5

      2f7c3db0c268cf1cf506fe6e8aecb8a0

      SHA1

      fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

      SHA256

      886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

      SHA512

      322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

      Download Submit
    • C:\Windows\TEMP\SDIAG_a34dca3e-0804-439c-8bc0-eb7ee90c618f\UtilitySetConstants.ps1
      Filesize

      2KB

      MD5

      0c75ae5e75c3e181d13768909c8240ba

      SHA1

      288403fc4bedaacebccf4f74d3073f082ef70eb9

      SHA256

      de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

      SHA512

      8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

      Download Submit
    • C:\Windows\TEMP\SDIAG_a34dca3e-0804-439c-8bc0-eb7ee90c618f\en-US\LocalizationData.psd1
      Filesize

      5KB

      MD5

      dc9be0fdf9a4e01693cfb7d8a0d49054

      SHA1

      74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

      SHA256

      944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

      SHA512

      92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

      Download Submit
    • memory/1656-65-0x000000006E480000-0x000000006EA2B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1656-70-0x00000000026F0000-0x00000000026FF000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1876-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1876-61-0x00000000756E1000-0x00000000756E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1876-63-0x000000006EB01000-0x000000006EB03000-memory.dmp
      Filesize

      8KB

      Download