Overview

overview

8

Static

static

8

URLScan

urlscan

1

https://email.helmsm...

windows7_x64

1

https://email.helmsm...

windows10-2004_x64

1

Analysis

  • max time kernel
    124s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-05-2022 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://email.helmsman-properties.com/e/984471/ail-paths-one-link-Fax-Outlook/8brbr/107207830/pahr.johansson%40axactor.se?h=TlbyXCa91JBzWVQfQ7l-AvGJFbw9nbkEgvA_HVemZos

Score
1/10

Malware Config

Signatures

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://email.helmsman-properties.com/e/984471/ail-paths-one-link-Fax-Outlook/8brbr/107207830/pahr.johansson%40axactor.se?h=TlbyXCa91JBzWVQfQ7l-AvGJFbw9nbkEgvA_HVemZos
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1856
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1468
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\vm.wav"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3516
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x524 0x51c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1104
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Windows\system32\dashost.exe
        dashost.exe {a81da228-c5cd-4ecd-8b7d5609915d823f}
        2⤵
          PID:3120
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
        1⤵
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:2496

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
        Filesize

        1KB

        MD5

        d69e0688754ca34b5cb349fe5f221157

        SHA1

        ab341a7d908731585f981f9faea787778c60dbee

        SHA256

        ce1a716d5582174251790c3e4f513b5759354cd2690f005bfac96390c30e24e8

        SHA512

        15ba6681c549bef5ae03c9eda8e022bbee47056e186d010d30e6ee4eb7134f64427ec02ada6df4b329bd3f844761cbc8ec6a2baa63f0aefd2ac00a7eb6061260

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        6feb4750c81f3cccd89d617256efff07

        SHA1

        65aa1afa690bb208466f5326b3f39be900ca3751

        SHA256

        d7d6f9f42427e271f85faeac6705b729d6d30bf406de86ef908327703fb71a09

        SHA512

        f8b0b74732e601a3a670366c91c688ebe92e30af219f375a10cdf0dbf7344ccf5c489453129d4b15321d2017a651ef34ce026145692a54c239b418252fd23212

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
        Filesize

        404B

        MD5

        e2ee24854091c3c4f68f57e18e4cd192

        SHA1

        af5570b8a7c429d070a9b723fe03f3a2b227386f

        SHA256

        7fa5219ef6f9e3d56b6b3cf633516c1f1e8a8ee82cf6dad55395f12bdf359483

        SHA512

        09e4c42a712851c21821f528de5ba9745272737abb2a632994a5b6329c9e121a58de32b148795d1889caca3b021ed467ad77b41392a7ca1d2d8a2747460160eb

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        e8dd1ed514fae632624173aaef9df652

        SHA1

        4a114b3bfe12260a9e736d30088b2b1d5eb8f879

        SHA256

        e1af4bc5631ad9652eaddcab525ecb5c316d27eeac778c5c707f8e66a4041e7c

        SHA512

        ea3513b93b7aa75dadf0c2babda034481291f8c3f83870055ba446c1870214faaa3ff96ecaef538b9338f8fa6fc66a2feb85b1bc60cdf3fa310f79d239e56967

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1dmutkj\imagestore.dat
        Filesize

        17KB

        MD5

        2aa135be1d0f55b7ede3c076c09f0039

        SHA1

        de78fed8f5051969a2166772c5d2b535e6d682b9

        SHA256

        a66a2c4e53f92ffc148d8a1d04ae45963517d55b344242d5c2356cb8ed5fb544

        SHA512

        db3f0cc95eaf9ba13d3ff4ab0ec47b0babbaddd7f629f2021d6e67594f13322138dc68332f7f80982218327cb472d357d0ba7c4776159d9e6527ecaf572ab010

        Download Submit
      • C:\Users\Admin\Downloads\vm.wav.mlbe7oe.partial
        Filesize

        286KB

        MD5

        13f3f23bd1c31f7851b7795f22878744

        SHA1

        1e364a29adb8fd0a94cd211390f382fabf53f165

        SHA256

        0c4bca60c27b742d74aeaf19f28cc0b94db6c51e932778ee86d8503429c04626

        SHA512

        611db91276c6eef8876470dfef5fca2baeb2aba8fa87fe4bb8a26b07d4e705c31655e7502ba4a1736db0e6cb1d3d204480b283d4a8939a462fbe711ec7d01375

        Download Submit
      • memory/3120-137-0x0000000000000000-mapping.dmp
        Download