Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 08:22
Static task
static1
Behavioral task
behavioral1
Sample
1.hta
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1.hta
Resource
win10v20210410
General
-
Target
1.hta
-
Size
2KB
-
MD5
c5f48abc68324cd059e74b35c44b64c7
-
SHA1
e68b086934eb0d4576ac3711062efba4236df436
-
SHA256
9a3c69a9e5f02c1e3022586c5ffe3e9dca7224f4c5107ce1f758eae62f747576
-
SHA512
271dedd705ed5a64cda497d0b86cd1509f34911602aac65cbc8a5120ef37efccc2ec8d45538cec29e1bbb5aa5fb5d76aa0a3502e00208e0c4067d4dd9b465d21
Malware Config
Extracted
trickbot
2000031
zev1
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 524 created 1264 524 regsvr32.exe Explorer.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 308 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 7 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exerundll32.exepid process 660 regsvr32.exe 524 regsvr32.exe 240 regsvr32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 524 set thread context of 436 524 regsvr32.exe chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
regsvr32.exepid process 524 regsvr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mshta.exeregsvr32.exeregsvr32.exedescription pid process target process PID 308 wrote to memory of 660 308 mshta.exe regsvr32.exe PID 308 wrote to memory of 660 308 mshta.exe regsvr32.exe PID 308 wrote to memory of 660 308 mshta.exe regsvr32.exe PID 308 wrote to memory of 660 308 mshta.exe regsvr32.exe PID 308 wrote to memory of 660 308 mshta.exe regsvr32.exe PID 308 wrote to memory of 660 308 mshta.exe regsvr32.exe PID 308 wrote to memory of 660 308 mshta.exe regsvr32.exe PID 660 wrote to memory of 524 660 regsvr32.exe regsvr32.exe PID 660 wrote to memory of 524 660 regsvr32.exe regsvr32.exe PID 660 wrote to memory of 524 660 regsvr32.exe regsvr32.exe PID 660 wrote to memory of 524 660 regsvr32.exe regsvr32.exe PID 660 wrote to memory of 524 660 regsvr32.exe regsvr32.exe PID 660 wrote to memory of 524 660 regsvr32.exe regsvr32.exe PID 660 wrote to memory of 524 660 regsvr32.exe regsvr32.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe PID 524 wrote to memory of 436 524 regsvr32.exe chrome.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\simpleAndAnd.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\simpleAndAnd.jpg4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll" DllRegisterServer3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dll" DllRegisterServer4⤵
- Loads dropped DLL
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "c:\users\public\simpleAndAnd.jpg"1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
0a927dd65ac753dd32e4e999142ede1b
SHA1ad6dfe7da3a206443d035825b1c6c33f0ecf2956
SHA256229ba767be9d71b60463b14f5b23a201a383be2fad885b5d3bfe237c13a85700
SHA512c31efaedcf621d94fed1e0f5f615303acace7df2be3efac852418f6b03445a4a7dd408bf7f407e8388f226a16373bab3429907244fd69ab3d3c057cfce533db1
-
C:\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dllMD5
188080ab83370f99d2a5026f8abd00ea
SHA1bfa8dd3321b3c852104a2a446b59cb44d410bef9
SHA25662f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f
SHA5121532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d
-
\??\c:\users\public\simpleAndAnd.jpgMD5
7050cfe8a95eefadad00ff8e3b0e7013
SHA124f2a04730eaf05de193c18c16363d1a733178e7
SHA256cb2aaeff0f1337e92cd73b4108d2f43351b1cd70c126d1494743d44355368467
SHA512663bd4e44a2167e4c0efb866ec6b7ade786885104fa7bf66a73ffd3a9f1af0a00baf4efe879d8bf30b8265c75d9d7a19ef07a0c9ca9c226987da2e9e61f22700
-
\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dllMD5
188080ab83370f99d2a5026f8abd00ea
SHA1bfa8dd3321b3c852104a2a446b59cb44d410bef9
SHA25662f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f
SHA5121532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d
-
\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dllMD5
188080ab83370f99d2a5026f8abd00ea
SHA1bfa8dd3321b3c852104a2a446b59cb44d410bef9
SHA25662f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f
SHA5121532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d
-
\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dllMD5
188080ab83370f99d2a5026f8abd00ea
SHA1bfa8dd3321b3c852104a2a446b59cb44d410bef9
SHA25662f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f
SHA5121532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d
-
\Users\Admin\AppData\Local\Temp\wwnstdbihbs.dllMD5
188080ab83370f99d2a5026f8abd00ea
SHA1bfa8dd3321b3c852104a2a446b59cb44d410bef9
SHA25662f3ede975bbd1fa2f72bc4f2c77f9256e48dea1187ad4d1d6f8e4eda22cf35f
SHA5121532fcf915bbe876e5574030e3af3958e86856264d0557bfb6342b5772b230b14790dd28cf53b9887220b9f0d547eb53871240ccc86d646402d7ad4653f53d1d
-
\Users\Public\simpleAndAnd.jpgMD5
7050cfe8a95eefadad00ff8e3b0e7013
SHA124f2a04730eaf05de193c18c16363d1a733178e7
SHA256cb2aaeff0f1337e92cd73b4108d2f43351b1cd70c126d1494743d44355368467
SHA512663bd4e44a2167e4c0efb866ec6b7ade786885104fa7bf66a73ffd3a9f1af0a00baf4efe879d8bf30b8265c75d9d7a19ef07a0c9ca9c226987da2e9e61f22700
-
\Users\Public\simpleAndAnd.jpgMD5
7050cfe8a95eefadad00ff8e3b0e7013
SHA124f2a04730eaf05de193c18c16363d1a733178e7
SHA256cb2aaeff0f1337e92cd73b4108d2f43351b1cd70c126d1494743d44355368467
SHA512663bd4e44a2167e4c0efb866ec6b7ade786885104fa7bf66a73ffd3a9f1af0a00baf4efe879d8bf30b8265c75d9d7a19ef07a0c9ca9c226987da2e9e61f22700
-
\Users\Public\simpleAndAnd.jpgMD5
7050cfe8a95eefadad00ff8e3b0e7013
SHA124f2a04730eaf05de193c18c16363d1a733178e7
SHA256cb2aaeff0f1337e92cd73b4108d2f43351b1cd70c126d1494743d44355368467
SHA512663bd4e44a2167e4c0efb866ec6b7ade786885104fa7bf66a73ffd3a9f1af0a00baf4efe879d8bf30b8265c75d9d7a19ef07a0c9ca9c226987da2e9e61f22700
-
memory/240-74-0x0000000001EA0000-0x0000000001EDE000-memory.dmpFilesize
248KB
-
memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/436-69-0x000000013F0F0000-0x000000013F335000-memory.dmpFilesize
2.3MB
-
memory/436-70-0x000000013F3077D8-mapping.dmp
-
memory/436-71-0x000000013F0F0000-0x000000013F335000-memory.dmpFilesize
2.3MB
-
memory/524-65-0x0000000000000000-mapping.dmp
-
memory/524-66-0x000007FEFC661000-0x000007FEFC663000-memory.dmpFilesize
8KB
-
memory/524-68-0x0000000001F10000-0x0000000001F4E000-memory.dmpFilesize
248KB
-
memory/660-61-0x0000000000000000-mapping.dmp
-
memory/1100-89-0x0000000000000000-mapping.dmp
-
memory/1100-90-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1100-91-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1124-79-0x0000000000000000-mapping.dmp
-
memory/1124-85-0x0000000000A90000-0x0000000000CED000-memory.dmpFilesize
2.4MB
-
memory/1124-87-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1124-86-0x0000000000290000-0x00000000002D3000-memory.dmpFilesize
268KB
-
memory/1124-88-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1196-77-0x0000000000000000-mapping.dmp