355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4

General

Target

gbound.hta
Size

9KB
MD5

344020eda12e49be499998ace856ed47
SHA1

f0a7431a73e7cb0be73fbc588bd91cf173f672d3
SHA256

355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4
SHA512

c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90
SSDEEP

192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2848	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
2848	powershell.exe
2848	powershell.exe
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

powershell.exe

pid	Process
2848	powershell.exe
2848	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

mshta.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 2136 wrote to memory of 2848	2136	mshta.exe	28
PID 2136 wrote to memory of 2848	2136	mshta.exe	28
PID 2136 wrote to memory of 2848	2136	mshta.exe	28
PID 2136 wrote to memory of 2848	2136	mshta.exe	28
PID 2848 wrote to memory of 2732	2848	powershell.exe	30
PID 2848 wrote to memory of 2732	2848	powershell.exe	30
PID 2848 wrote to memory of 2732	2848	powershell.exe	30
PID 2848 wrote to memory of 2732	2848	powershell.exe	30
PID 2848 wrote to memory of 2732	2848	powershell.exe	30
PID 2848 wrote to memory of 2732	2848	powershell.exe	30
PID 2848 wrote to memory of 2732	2848	powershell.exe	30
PID 2848 wrote to memory of 2620	2848	powershell.exe	31
PID 2848 wrote to memory of 2620	2848	powershell.exe	31
PID 2848 wrote to memory of 2620	2848	powershell.exe	31
PID 2848 wrote to memory of 2620	2848	powershell.exe	31
PID 2620 wrote to memory of 2844	2620	csc.exe	32
PID 2620 wrote to memory of 2844	2620	csc.exe	32
PID 2620 wrote to memory of 2844	2620	csc.exe	32
PID 2620 wrote to memory of 2844	2620	csc.exe	32

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\gbound.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\Public\sWRA.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmstp.exe
    "cmstp.exe" C:\Users\Public\config.inf /au
    3⤵
    PID:2732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t5ww1hpd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAAB.tmp"
      4⤵
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAAC.tmp

Filesize
1KB

MD5
3404c38b692b69fee723eff2668a69a0

SHA1
55547893eaec488b4406ecf883ff1fa688db2c9c

SHA256
f1eb1926b64174cd100e93d402aba724a2e68ecb9a18c4d47f962bb807b0df55

SHA512
b2756dc8bb12da662d8ae9282f0c105cd4f5a765a4118a5a73695d89370ed6896bc8259b50e92645c4db3735a1982707a788360429b360f05258ca29935d5626

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5ww1hpd.dll

Filesize
3KB

MD5
97662f0436dfe6c2705b76b256ab6492

SHA1
8ed5ccfc5afc190441baea35ccca53ff5582134e

SHA256
c0ce59d458283e1ea64aa2b499fb72cd23eb92aeea2b2125a8647fb4e8e1b9b2

SHA512
12ec9f9768870654fa0d667fe3017ef43e4303faa9a7943f8a730da92511992a6fc86cd5dca097007a073ac71b1abb0c920cccc73c73dfc9aa2b5d60d1a16b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5ww1hpd.pdb

Filesize
7KB

MD5
516d7a331f8b770148700635d2f3d7c0

SHA1
c621d5d0c896b9d2f0a17971eb62112f318d31b8

SHA256
0b16359330b03219b7b7c0268394903f7f6312bb6c2b1fba5c168e5daf92a8eb

SHA512
6d3a22321fca7dbdc7d0b8d5fcfe9f003705fbc7aeda757c17f131cdf871e0e993ac78ee1ebce9bed8c2e3d7d8cf41e520feeb534a3953e983b266e26cdcb85e

Download Submit
C:\Users\Public\config.inf

Filesize
793B

MD5
9551f37d1c321b89594ce33dd5c4a166

SHA1
dbde6afe056ffa89f57b3d817767305533ffc723

SHA256
2fb41b2fc5e9a70f7f4b5c4338306b0ad7b6e9a46921c11bb99a24b3f856c99c

SHA512
4fcea7fb0a6fbcbcd1e332c6f41fd0cf7cd5c0635ba798950cfc590aeff89166b5ea26f72fce98af1b7664165e3b91bcade06a072685d0f04ec22195d006f7e8

Download Submit
C:\Users\Public\sWRA.ps1

Filesize
980B

MD5
cdf55a34ebd80623d6ec05b2f0a42c19

SHA1
9a226bd3e721bc082529a74bd7be39787d427538

SHA256
9cf9a284d8520457baa6bbc513174c60744a9ed5662740b92052bb809c72fc6c

SHA512
96e5007617cfe375fd268ed534a6726e0d77a28134e780d20bac69c9918c7662d1704a1fc3f16f517d705ecbec35913cfaf34f7067e280fa8c9302e43b5a41c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAAB.tmp

Filesize
652B

MD5
b5fb2a079c4c62d4a340388c766789dd

SHA1
b4df193ac5c20ba6ecf144d2d3021cc0891e1e43

SHA256
c1b991677b4006b64c90644f48c7774e0a92d4f6ddc0a38d59cde1340314f030

SHA512
db3ad9d65c1f4a7ba2e0f0273e10ac14669e45df7a0d30fb52ee33559a9c16f055911223585ca55262a3eaa59e4a03e4b4883b9ae2a9116a6fc70ed483a80a26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t5ww1hpd.0.cs

Filesize
319B

MD5
f3c09788c53ec7b12e03c328440a57fc

SHA1
898711631c676136cc0576370c705d5bb38df060

SHA256
f52036306d49ca5bc0c58242a311526e4d045dcd070b0981db503da5e3a55212

SHA512
cdddd3ffe6563bcd0ff53973b3a3fe7aca3939b77dcb3fcc2e56d93c9f0727a0d5ffa550a21923ffa8a446da589d68a6c26674068bf75233421452a153b9e1ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t5ww1hpd.cmdline

Filesize
309B

MD5
0046838109662381accda896cb9949c1

SHA1
d4bee8caca070f51b47daa10c3d4bb2b30a83cad

SHA256
d5dbd473f9d691dba3024cc66988b7645a2b2c1bf03481dc17788fe98a225415

SHA512
a817f0c8b7e80161f54dd71c20c70484de5da897457e97e1ee8d36b8aba774a0327cfc6755f80d049fb8c4db435be865c32b55a19b1a060398df8c8644ff3859

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads