Overview

overview

10

Static

static

1

355851dbcd...c4.hta

windows7-x64

3

355851dbcd...c4.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta

  • Size

    9KB

  • MD5

    344020eda12e49be499998ace856ed47

  • SHA1

    f0a7431a73e7cb0be73fbc588bd91cf173f672d3

  • SHA256

    355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4

  • SHA512

    c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90

  • SSDEEP

    192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\Public\sWRA.ps1
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\cmstp.exe
        "cmstp.exe" C:\Users\Public\config.inf /au
        3⤵
          PID:2060
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwwgcftp.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1BC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA1BB.tmp"
            4⤵
              PID:2692

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESA1BC.tmp
        Filesize

        1KB

        MD5

        62e37d83f8de5e397d4b3b74c785dba4

        SHA1

        fe475063331bd2ca45df0351fbd8bb227325f469

        SHA256

        d8129998656d4f27f6bafd7cdc636871856d2ba01e56d39c30d9b07cd91c912d

        SHA512

        30bfa1261c6d31e69c086971b3929f836e4da68b25edf56f2506c38b4b7efa76aaae6452aa2424c1352d84fa60fe65177f1fbfc6b3e9b6bf9cc4106fe4253e0a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\kwwgcftp.dll
        Filesize

        3KB

        MD5

        e69316c809494a450a7ed7a7eac132f1

        SHA1

        5cea8bfa88fe7b89b3b013ba0f9630ecc66aecca

        SHA256

        3cba4552fa4f99675e0e1a0639677b4a46ea64dc96ab0850b4a8fd386621148a

        SHA512

        a2f071494688d0c0576b604f953a5a18e3f035edf4053e19df35d6f3e1f6c7a44b782aa4226876b45c1830cf6fd143c713afeb3ed51e637ab4350461b9d2e363

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\kwwgcftp.pdb
        Filesize

        7KB

        MD5

        8b359a9ae7d190e2e016ca5bdfec84a1

        SHA1

        82cb88ca06626ce9a899a0c0b8d3b7ffe2fcf9af

        SHA256

        97a582b7109027b979b7eff4839a4f9da63a9b0ec7d8c2d1c24477da20f5046c

        SHA512

        4a8fa1e66e6c8612308335aefd2351d2a3b33f4efc8a331fba482f080bc7fd38bf3d1980c238ebf060e6ccb8e467216792b49db73c47de6fa87ed5ab661ac7c9

        Download Submit
      • C:\Users\Public\config.inf
        Filesize

        793B

        MD5

        9551f37d1c321b89594ce33dd5c4a166

        SHA1

        dbde6afe056ffa89f57b3d817767305533ffc723

        SHA256

        2fb41b2fc5e9a70f7f4b5c4338306b0ad7b6e9a46921c11bb99a24b3f856c99c

        SHA512

        4fcea7fb0a6fbcbcd1e332c6f41fd0cf7cd5c0635ba798950cfc590aeff89166b5ea26f72fce98af1b7664165e3b91bcade06a072685d0f04ec22195d006f7e8

        Download Submit
      • C:\Users\Public\sWRA.ps1
        Filesize

        980B

        MD5

        cdf55a34ebd80623d6ec05b2f0a42c19

        SHA1

        9a226bd3e721bc082529a74bd7be39787d427538

        SHA256

        9cf9a284d8520457baa6bbc513174c60744a9ed5662740b92052bb809c72fc6c

        SHA512

        96e5007617cfe375fd268ed534a6726e0d77a28134e780d20bac69c9918c7662d1704a1fc3f16f517d705ecbec35913cfaf34f7067e280fa8c9302e43b5a41c1

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\CSCA1BB.tmp
        Filesize

        652B

        MD5

        8fde356aebdc0bb9a45eb9c25f7a5bd0

        SHA1

        04e80e25469ed9b90083266a89f3719e2ede3e9c

        SHA256

        fe0cb1adb1f3c88f4c943757a9f1af9654dd8977d85c75f79997ad90a75fba13

        SHA512

        a3fb197d890a2ffa9ae5d9b9c9627c17a524bd9cceac2f469abf34eb11cefb32e5b5da87b1055f6882a87bf6d622cdbdf4e65b95c57ffdfec16ccd9996580f8c

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\kwwgcftp.0.cs
        Filesize

        319B

        MD5

        f3c09788c53ec7b12e03c328440a57fc

        SHA1

        898711631c676136cc0576370c705d5bb38df060

        SHA256

        f52036306d49ca5bc0c58242a311526e4d045dcd070b0981db503da5e3a55212

        SHA512

        cdddd3ffe6563bcd0ff53973b3a3fe7aca3939b77dcb3fcc2e56d93c9f0727a0d5ffa550a21923ffa8a446da589d68a6c26674068bf75233421452a153b9e1ce

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\kwwgcftp.cmdline
        Filesize

        309B

        MD5

        5de6263844263caa3f5a564a2b9dd8b0

        SHA1

        8021488ce995484d496ffd5a7578d0a9d9029aa6

        SHA256

        34b97a76f643f830ff8c4b4aa074d93b35a9e414f839b604bf3e0d29a3723134

        SHA512

        a8faf6106a978b63303cdf80bd44832a07704b73f32c2af4dfd3b10b390a8fbe0a14e3119fa1e868be8474f2e4b16234841e167ab5666ad05f80ddf262094f29

        Download Submit