355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4

General

Target

355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta
Size

9KB
MD5

344020eda12e49be499998ace856ed47
SHA1

f0a7431a73e7cb0be73fbc588bd91cf173f672d3
SHA256

355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4
SHA512

c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90
SSDEEP

192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2516	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2516	powershell.exe
2516	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2516	1308	mshta.exe	28
PID 1308 wrote to memory of 2516	1308	mshta.exe	28
PID 1308 wrote to memory of 2516	1308	mshta.exe	28
PID 1308 wrote to memory of 2516	1308	mshta.exe	28
PID 2516 wrote to memory of 2060	2516	powershell.exe	30
PID 2516 wrote to memory of 2060	2516	powershell.exe	30
PID 2516 wrote to memory of 2060	2516	powershell.exe	30
PID 2516 wrote to memory of 2060	2516	powershell.exe	30
PID 2516 wrote to memory of 2060	2516	powershell.exe	30
PID 2516 wrote to memory of 2060	2516	powershell.exe	30
PID 2516 wrote to memory of 2060	2516	powershell.exe	30
PID 2516 wrote to memory of 2600	2516	powershell.exe	31
PID 2516 wrote to memory of 2600	2516	powershell.exe	31
PID 2516 wrote to memory of 2600	2516	powershell.exe	31
PID 2516 wrote to memory of 2600	2516	powershell.exe	31
PID 2600 wrote to memory of 2692	2600	csc.exe	32
PID 2600 wrote to memory of 2692	2600	csc.exe	32
PID 2600 wrote to memory of 2692	2600	csc.exe	32
PID 2600 wrote to memory of 2692	2600	csc.exe	32

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\Public\sWRA.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cmstp.exe
    "cmstp.exe" C:\Users\Public\config.inf /au
    3⤵
    PID:2060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwwgcftp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1BC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA1BB.tmp"
      4⤵
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA1BC.tmp

Filesize
1KB

MD5
62e37d83f8de5e397d4b3b74c785dba4

SHA1
fe475063331bd2ca45df0351fbd8bb227325f469

SHA256
d8129998656d4f27f6bafd7cdc636871856d2ba01e56d39c30d9b07cd91c912d

SHA512
30bfa1261c6d31e69c086971b3929f836e4da68b25edf56f2506c38b4b7efa76aaae6452aa2424c1352d84fa60fe65177f1fbfc6b3e9b6bf9cc4106fe4253e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwgcftp.dll

Filesize
3KB

MD5
e69316c809494a450a7ed7a7eac132f1

SHA1
5cea8bfa88fe7b89b3b013ba0f9630ecc66aecca

SHA256
3cba4552fa4f99675e0e1a0639677b4a46ea64dc96ab0850b4a8fd386621148a

SHA512
a2f071494688d0c0576b604f953a5a18e3f035edf4053e19df35d6f3e1f6c7a44b782aa4226876b45c1830cf6fd143c713afeb3ed51e637ab4350461b9d2e363

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwgcftp.pdb

Filesize
7KB

MD5
8b359a9ae7d190e2e016ca5bdfec84a1

SHA1
82cb88ca06626ce9a899a0c0b8d3b7ffe2fcf9af

SHA256
97a582b7109027b979b7eff4839a4f9da63a9b0ec7d8c2d1c24477da20f5046c

SHA512
4a8fa1e66e6c8612308335aefd2351d2a3b33f4efc8a331fba482f080bc7fd38bf3d1980c238ebf060e6ccb8e467216792b49db73c47de6fa87ed5ab661ac7c9

Download Submit
C:\Users\Public\config.inf

Filesize
793B

MD5
9551f37d1c321b89594ce33dd5c4a166

SHA1
dbde6afe056ffa89f57b3d817767305533ffc723

SHA256
2fb41b2fc5e9a70f7f4b5c4338306b0ad7b6e9a46921c11bb99a24b3f856c99c

SHA512
4fcea7fb0a6fbcbcd1e332c6f41fd0cf7cd5c0635ba798950cfc590aeff89166b5ea26f72fce98af1b7664165e3b91bcade06a072685d0f04ec22195d006f7e8

Download Submit
C:\Users\Public\sWRA.ps1

Filesize
980B

MD5
cdf55a34ebd80623d6ec05b2f0a42c19

SHA1
9a226bd3e721bc082529a74bd7be39787d427538

SHA256
9cf9a284d8520457baa6bbc513174c60744a9ed5662740b92052bb809c72fc6c

SHA512
96e5007617cfe375fd268ed534a6726e0d77a28134e780d20bac69c9918c7662d1704a1fc3f16f517d705ecbec35913cfaf34f7067e280fa8c9302e43b5a41c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA1BB.tmp

Filesize
652B

MD5
8fde356aebdc0bb9a45eb9c25f7a5bd0

SHA1
04e80e25469ed9b90083266a89f3719e2ede3e9c

SHA256
fe0cb1adb1f3c88f4c943757a9f1af9654dd8977d85c75f79997ad90a75fba13

SHA512
a3fb197d890a2ffa9ae5d9b9c9627c17a524bd9cceac2f469abf34eb11cefb32e5b5da87b1055f6882a87bf6d622cdbdf4e65b95c57ffdfec16ccd9996580f8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kwwgcftp.0.cs

Filesize
319B

MD5
f3c09788c53ec7b12e03c328440a57fc

SHA1
898711631c676136cc0576370c705d5bb38df060

SHA256
f52036306d49ca5bc0c58242a311526e4d045dcd070b0981db503da5e3a55212

SHA512
cdddd3ffe6563bcd0ff53973b3a3fe7aca3939b77dcb3fcc2e56d93c9f0727a0d5ffa550a21923ffa8a446da589d68a6c26674068bf75233421452a153b9e1ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kwwgcftp.cmdline

Filesize
309B

MD5
5de6263844263caa3f5a564a2b9dd8b0

SHA1
8021488ce995484d496ffd5a7578d0a9d9029aa6

SHA256
34b97a76f643f830ff8c4b4aa074d93b35a9e414f839b604bf3e0d29a3723134

SHA512
a8faf6106a978b63303cdf80bd44832a07704b73f32c2af4dfd3b10b390a8fbe0a14e3119fa1e868be8474f2e4b16234841e167ab5666ad05f80ddf262094f29

Download Submit

Analysis

Sharing