7a2e6f998920931de03d76bc1fc5087a22becd02301713342a78957afa80b652

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tools/run.hta
Size

2KB
MD5

d0e69969ac10cee9ac933c3223542059
SHA1

7f9246b3bcb6f1cf1b5d9f26ad7a747dc4fbceb3
SHA256

11abb36beb797e400f6d5fc924f8ae07f40ec41aeb1b1b43f6583bb60a875cd5
SHA512

4bd2df510345263952df26c7b6c9f2fc57e1af4046919d68f8a9aa3c8b1d60127a4bef6b75bf915710287e8a1e442437dde135eb3ac7d4dc10321ffbf97dc2d6

Score

8^/10

discovery evasion spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 18 IoCs

Processes:

mshta.exe

flow	pid	process
4	1484	mshta.exe
5	1484	mshta.exe
7	1484	mshta.exe
10	1484	mshta.exe
13	1484	mshta.exe
14	1484	mshta.exe
15	1484	mshta.exe
17	1484	mshta.exe
18	1484	mshta.exe
20	1484	mshta.exe
22	1484	mshta.exe
26	1484	mshta.exe
27	1484	mshta.exe
28	1484	mshta.exe
29	1484	mshta.exe
32	1484	mshta.exe
33	1484	mshta.exe
34	1484	mshta.exe

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2752 netsh.exe
1440 netsh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs net.exe

pid	process
2752	netsh.exe
1440	netsh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

mshta.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1484 wrote to memory of 872	1484	mshta.exe	cmd.exe
PID 1484 wrote to memory of 872	1484	mshta.exe	cmd.exe
PID 1484 wrote to memory of 872	1484	mshta.exe	cmd.exe
PID 1484 wrote to memory of 872	1484	mshta.exe	cmd.exe
PID 872 wrote to memory of 2752	872	cmd.exe	netsh.exe
PID 872 wrote to memory of 2752	872	cmd.exe	netsh.exe
PID 872 wrote to memory of 2752	872	cmd.exe	netsh.exe
PID 872 wrote to memory of 2752	872	cmd.exe	netsh.exe
PID 1484 wrote to memory of 2800	1484	mshta.exe	cmd.exe
PID 1484 wrote to memory of 2800	1484	mshta.exe	cmd.exe
PID 1484 wrote to memory of 2800	1484	mshta.exe	cmd.exe
PID 1484 wrote to memory of 2800	1484	mshta.exe	cmd.exe
PID 2800 wrote to memory of 1440	2800	cmd.exe	netsh.exe
PID 2800 wrote to memory of 1440	2800	cmd.exe	netsh.exe
PID 2800 wrote to memory of 1440	2800	cmd.exe	netsh.exe
PID 2800 wrote to memory of 1440	2800	cmd.exe	netsh.exe
PID 1484 wrote to memory of 2396	1484	mshta.exe	net.exe
PID 1484 wrote to memory of 2396	1484	mshta.exe	net.exe
PID 1484 wrote to memory of 2396	1484	mshta.exe	net.exe
PID 1484 wrote to memory of 2396	1484	mshta.exe	net.exe
PID 2396 wrote to memory of 1208	2396	net.exe	net1.exe
PID 2396 wrote to memory of 1208	2396	net.exe	net1.exe
PID 2396 wrote to memory of 1208	2396	net.exe	net1.exe
PID 2396 wrote to memory of 1208	2396	net.exe	net1.exe
PID 1484 wrote to memory of 1932	1484	mshta.exe	rundll32.exe
PID 1484 wrote to memory of 1932	1484	mshta.exe	rundll32.exe
PID 1484 wrote to memory of 1932	1484	mshta.exe	rundll32.exe
PID 1484 wrote to memory of 1932	1484	mshta.exe	rundll32.exe
PID 1484 wrote to memory of 1932	1484	mshta.exe	rundll32.exe
PID 1484 wrote to memory of 1932	1484	mshta.exe	rundll32.exe
PID 1484 wrote to memory of 1932	1484	mshta.exe	rundll32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Tools\run.hta"
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_57414.txt""
2⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="DriverPack aria2c.exe"
3⤵
- Modifies Windows Firewall
PID:2752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Tools\tools\aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_94275.txt""
2⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Tools\tools\aria2c.exe"
3⤵
- Modifies Windows Firewall
PID:1440

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start wscsvc
2⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start wscsvc
3⤵
PID:1208

C:\Windows\SysWOW64\rundll32.exe
rundll32 kernel32,Sleep
2⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\collect[1].gif
Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\allfont[1].htm
Filesize
175B

MD5
5255b05e221a2ee9e73b8d9ca6eaa4ad

SHA1
28d5fbabcdcc49246e71721c45d49a0dd025cb0b

SHA256
ed2ae741d3478834f11bdecc1f4a8e179bc295a99e489936befac5ee4eaf4cc5

SHA512
59941bf156a18037f99367a8455137ffaad3ca0d2da6b3b604e6d17caa4299789b463908cf812e07477aee07e7a6fd4b7fcbad598ffb48d57a76a018da368e05

Download Submit
C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_57414.txt
Filesize
9B

MD5
02466847c63e90c5041b8dd7990dce27

SHA1
fdcf71f16e2efcb8815730b4cca5f580b185cf5c

SHA256
195418a93d769a17558aa804568eff487979e62d0731aa8c63d8d0ffc1723321

SHA512
86b11957db369afa71831c72848b897aafd155887467a377484d0346dcaeaac88476cad2331e34a24e7f8ac3a07335dd1e639ae27bfa0d4491dcc6a48a7e6ff3

Download Submit