ba29074e789fcfa51e00ad5d20a9ba73987e0310db692574d391ce08ae27e6f3

Resubmissions

14/06/2023, 06:49

230614-hlvdladg47 7

14/06/2023, 06:32

230614-ha51ysdg3w 7

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/06/2023, 06:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

temp.chm
Size

31KB
MD5

0408df453b49021d324fd44ece1dd48d
SHA1

a23c4678004e0365376e96257790e15ad546ee29
SHA256

ba29074e789fcfa51e00ad5d20a9ba73987e0310db692574d391ce08ae27e6f3
SHA512

bedd7d922735401809810ea039e4a07292e58eb52006d733d584eebe819fcc6e8afbe3c2ea77f58f8c2dfb5a05429528151e5d9ffef099ab157b81574d2533ff
SSDEEP

384:3wtMqw0fNYFFuVMsuynps7Q+9K4GzuK7UR8ctuSlAlcv2:3MPNYFFuVMsuOps7Q+9K4G/eZlAlcv2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1636	hh.exe
1636	hh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1328	1636	hh.exe	28
PID 1636 wrote to memory of 1328	1636	hh.exe	28
PID 1636 wrote to memory of 1328	1636	hh.exe	28
PID 1328 wrote to memory of 432	1328	cmd.exe	30
PID 1328 wrote to memory of 432	1328	cmd.exe	30
PID 1328 wrote to memory of 432	1328	cmd.exe	30
PID 432 wrote to memory of 1008	432	cmd.exe	31
PID 432 wrote to memory of 1008	432	cmd.exe	31
PID 432 wrote to memory of 1008	432	cmd.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\temp.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd /c cmd.exe /c sta^rt ms^ht^a "%cd%\temp.chm" .txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\cmd.exe
    cmd.exe /c start mshta "C:\Users\Admin\AppData\Local\Temp\temp.chm" .txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\system32\mshta.exe
      mshta "C:\Users\Admin\AppData\Local\Temp\temp.chm" .txt
      4⤵
      Modifies Internet Explorer settings
      PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads